A developer is building a serverless application that is based on AWS Lambda. The developer initializes the AWS software development kit (SDK) outside of the Lambda handcar function.
What is the PRIMARY benefit of this action?

1. A. Improves legibility and systolic convention
2. B. Takes advantage of runtime environment reuse
3. C. Provides better error handling
4. D. Creates a new SDK instance for each invocation

Correct Answer: B
This benefit occurs when initializing the AWS SDK outside of the Lambda handler function because it allows the SDK instance to be reused across multiple invocations of the same function. This can improve performance and reduce latency by avoiding unnecessary initialization overhead. If the SDK is initialized inside the handler function, it will create a new SDK instance for each invocation, which can increase memory usage and execution time.
Reference: [AWS Lambda execution environment], [Best Practices for Working with AWS
Lambda Functions]

A company needs to harden its container images before the images are in a running state. The company's application uses Amazon Elastic Container Registry (Amazon ECR) as an image registry. Amazon Elastic Kubernetes Service (Amazon EKS) for compute, and an AWS CodePipeline pipeline that orchestrates a continuous integration and continuous delivery (CI/CD) workflow.
Dynamic application security testing occurs in the final stage of the pipeline after a new image is deployed to a development namespace in the EKS cluster. A developer needs to
place an analysis stage before this deployment to analyze the container image earlier in the CI/CD pipeline.
Which solution will meet these requirements with the MOST operational efficiency?

1. A. Build the container image and run the docker scan command locall
2. B. Mitigate any findings before pushing changes to the source code repositor
3. C. Write a pre-commit hook that enforces the use of this workflow before commit.
4. D. Create a new CodePipeline stage that occurs after the container image is buil
5. E. Configure ECR basic image scanning to scan on image pus
6. F. Use an AWS Lambda function as the action provide
7. G. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
8. H. Create a new CodePipeline stage that occurs after source code has been retrieved from its repositor
9. I. Run a security scanner on the latest revision of the source cod
10. J. Fail the pipeline if there are findings.
11. K. Add an action to the deployment stage of the pipeline so that the action occurs before the deployment to the EKS cluste
12. L. Configure ECR basic image scanning to scan on image pus
13. M. Use an AWS Lambda function as the action provide
14. N. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.

Correct Answer: B
The solution that will meet the requirements with the most operational efficiency is to create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings. This way, the container image is analyzed earlier in the CI/CD pipeline and any vulnerabilities are detected and reported before deploying to the EKS cluster. The other options either delay the analysis until after deployment, which increases the risk of exposing insecure images, or perform analysis on the source code instead of the container image, which may not capture all the dependencies and configurations that affect the security posture of the image.
Reference: Amazon ECR image scanning

A development team maintains a web application by using a single AWS CloudFormation template. The template defines web servers and an Amazon RDS database. The team uses the Cloud Formation template to deploy the Cloud Formation stack to different environments.
During a recent application deployment, a developer caused the primary development database to be dropped and recreated. The result of this incident was a loss of data. The team needs to avoid accidental database deletion in the future.
Which solutions will meet these requirements? (Choose two.)

1. A. Add a CloudFormation Deletion Policy attribute with the Retain value to the database resource.
2. B. Update the CloudFormation stack policy to prevent updates to the database.
3. C. Modify the database to use a Multi-AZ deployment.
4. D. Create a CloudFormation stack set for the web application and database deployments.
5. E. Add a Cloud Formation DeletionPolicy attribute with the Retain value to the stack.

Correct Answer: AB
AWS CloudFormation is a service that enables developers to model and provision AWS resources using templates. The developer can add a CloudFormation Deletion Policy attribute with the Retain value to the database resource. This will prevent the database from being deleted when the stack is deleted or updated. The developer can also update the CloudFormation stack policy to prevent updates to the database. This will prevent accidental changes to the database configuration or properties.
References:
✑ [What Is AWS CloudFormation? - AWS CloudFormation]
✑ [DeletionPolicy Attribute - AWS CloudFormation]
✑ [Protecting Resources During Stack Updates - AWS CloudFormation]

A developer is troubleshooting an Amazon API Gateway API Clients are receiving HTTP 400 response errors when the clients try to access an endpoint of the API.
How can the developer determine the cause of these errors?

1. A. Create an Amazon Kinesis Data Firehose delivery stream to receive API call logs from API Gatewa
2. B. Configure Amazon CloudWatch Logs as the delivery stream's destination.
3. C. Turn on AWS CloudTrail Insights and create a trail Specify the Amazon Resource Name (ARN) of the trail for the stage of the API.
4. D. Turn on AWS X-Ray for the API stage Create an Amazon CtoudWalch Logs log group Specify the Amazon Resource Name (ARN) of the log group for the API stage.
5. E. Turn on execution logging and access logging in Amazon CloudWatch Logs for the API stag
6. F. Create a CloudWatch Logs log grou
7. G. Specify the Amazon Resource Name (ARN) of the log group for the API stage.

Correct Answer: D
This solution will meet the requirements by using Amazon CloudWatch Logs to capture and analyze the logs from API Gateway. Amazon CloudWatch Logs is a service that monitors, stores, and accesses log files from AWS resources. The developer can turn on execution logging and access logging in Amazon CloudWatch Logs for the API stage, which enables logging information about API execution and client access to the API. The developer can create a CloudWatch Logs log group, which is a collection of log streams that share the same retention, monitoring, and access control settings. The developer can specify the Amazon Resource Name (ARN) of the log group for the API stage, which instructs API Gateway to send the logs to the specified log group. The developer can then examine the logs to determine the cause of the HTTP 400 response errors. Option A is not optimal because it will create an Amazon Kinesis Data Firehose delivery stream to receive API call logs from API Gateway, which may introduce additional costs and complexity for delivering and processing streaming data. Option B is not optimal because it will turn on AWS CloudTrail Insights and create a trail, which is a feature that helps identify and troubleshoot unusual API activity or operational issues, not HTTP response errors. Option C is not optimal because it will turn on AWS X-Ray for the API stage, which is a service that helps analyze and debug distributed applications, not HTTP response errors. References: [Setting Up CloudWatch Logging for a REST API], [CloudWatch Logs Concepts]

A company is planning to use AWS CodeDeploy to deploy an application to Amazon Elastic Container Service (Amazon ECS) During the deployment of a new version of the application, the company initially must expose only 10% of live traffic to the new version of the deployed application. Then, after 15 minutes elapse, the company must route all the remaining live traffic to the new version of the deployed application.
Which CodeDeploy predefined configuration will meet these requirements?

1. A. CodeDeployDefault ECSCanary10Percent15Minutes
2. B. CodeDeployDefault LambdaCanary10Percent5Minutes
3. C. CodeDeployDefault LambdaCanary10Percent15Minutes
4. D. CodeDeployDefault ECSLinear10PercentEvery1 Minutes

Correct Answer: A
The predefined configuration "CodeDeployDefault.ECSCanary10Percent15Minutes" is designed for Amazon Elastic Container Service (Amazon ECS) deployments and meets the specified requirements. It will perform a canary deployment, which means it will initially route 10% of live traffic to the new version of the application, and then after 15 minutes elapse, it will automatically route all the remaining live traffic to the new version. This gradual deployment approach allowsthe company to verify the health and performance of the new version with a small portion of traffic before fully deploying it to all users.