A company's developers use Amazon EC2 instances as remote workstations. The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.
A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules. The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).
What should the DevOps engineer do next to meet the requirements?

1. A. Configure the Lambda function to be invoked by the SNS topi
2. B. Create an AWS CloudTrail subscription for the SNS topi
3. C. Configure a subscription filter for security group modification events.
4. D. Create an Amazon EventBridge scheduled rule to invoke the Lambda functio
5. E. Define a schedule pattern that runs the Lambda function every hour.
6. F. Create an Amazon EventBridge event rule that has the default event bus as the sourc
7. G. Define the rule’s event pattern to match EC2 security group creation and modification event
8. H. Configure the rule to invoke the Lambda function.
9. I. Create an Amazon EventBridge custom event bus that subscribes to events from all AWS service
10. J. Configure the Lambda function to be invoked by the custom event bus.

Correct Answer: C
To meet the requirements, the DevOps engineer should create an Amazon EventBridge event rule that has the default event bus as the source. The rule's event pattern should match EC2 security group creation and modification events, and it should be configured to invoke the Lambda function. This solution will allow for near real-time detection of security group rule changes and will trigger the Lambda function to remove any unrestricted rules and send email notifications to the security team. https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

A company needs a strategy for failover and disaster recovery of its data and application. The application uses a MySQL database and Amazon EC2 instances. The company requires a maximum RPO of 2 hours and a maximum RTO of 10 minutes for its data and application at all times.
Which combination of deployment strategies will meet these requirements? (Select TWO.)

1. A. Create an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data stor
2. B. Use Aurora's automatic recovery capabilities in the event of a disaster.
3. C. Create an Amazon Aurora global database in two AWS Regions as the data stor
4. D. In the event of a failure, promote the secondary Region to the primary for the applicatio
5. E. Update the application to use the Aurora cluster endpoint in the secondary Region.
6. F. Create an Amazon Aurora cluster in multiple AWS Regions as the data stor
7. G. Use a Network Load Balancer to balance the database traffic in different Regions.
8. H. Set up the application in two AWS Region
9. I. Use Amazon Route 53 failover routing that points to Application Load Balancers in both Region
10. J. Use health checks and Auto Scaling groups in each Region.
11. K. Set up the application in two AWS Region
12. L. Configure AWS Global Accelerator to point to Application Load Balancers (ALBs) in both Region
13. M. Add both ALBs to a single endpoint grou
14. N. Use health checks and Auto Scaling groups in each Region.

Correct Answer: BE
To meet the requirements of failover and disaster recovery, the company should use the following deployment strategies:
✑ Create an Amazon Aurora global database in two AWS Regions as the data store.
In the event of a failure, promote the secondary Region to the primary for the application. Update the application to use the Aurora cluster endpoint in the secondary Region. This strategy can provide a low RPO and RTO for the data, as Aurora global database replicates data with minimal latency across Regions and allows fast and easy failover12. The company can use the Amazon Aurora cluster endpoint to connect to the current primary DB cluster without needing to change any application code1.
✑ Set up the application in two AWS Regions. Configure AWS Global Accelerator to
point to Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpoint group. Use health checks and Auto Scaling groups in each Region. This strategy can provide high availability and performance for the application, as AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint3. The company can also use static IP addresses that are assigned by Global Accelerator as a fixed entry point for their application1. By using health checks and Auto Scaling groups, the company can ensure that their application can scale up or down based on demand and handle any instance failures4.
The other options are incorrect because:
✑ Creating an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store would not provide a fast failover or disaster recovery solution, as the company would need to manually restore data from backups or snapshots in another Region in case of a failure.
✑ Creating an Amazon Aurora cluster in multiple AWS Regions as the data store and using a Network Load Balancer to balance the database traffic in different Regions would not work, as Network Load Balancers do not support cross-Region routing. Moreover, this strategy would not provide a consistent view of the data across Regions, as Aurora clusters do not replicate data automatically between Regions unless they are part of a global database.
✑ Setting up the application in two AWS Regions and using Amazon Route 53 failover routing that points to Application Load Balancers in both Regions would not provide a low RTO, as Route 53 failover routing relies on DNS resolution, which can take time to propagate changes across different DNS servers and clients. Moreover, this strategy would not provide deterministic routing, as Route 53 failover routing depends on DNS caching behavior, which can vary depending on different factors.

A company is adopting AWS CodeDeploy to automate its application deployments for a Java-Apache Tomcat application with an Apache Webserver. The development team started with a proof of concept, created a deployment group for a developer environment, and performed functional tests within the application. After completion, the team will create additional deployment groups for staging and production.
The current log level is configured within the Apache settings, but the team wants to change this configuration dynamically when the deployment occurs, so that they can set different log level configurations depending on the deployment group without having a different application revision for each group.
How can these requirements be met with the LEAST management overhead and without requiring different script versions for each deployment group?

1. A. Tag the Amazon EC2 instances depending on the deployment grou
2. B. Then place ascript into the application revision that calls the metadata service and the EC2 API to identify which deployment group the instance is part o
3. C. Use this information to configure the log level setting
4. D. Reference the script as part of the AfterInstall lifecycle hook in the appspec.yml file.
5. E. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_ NAME to identify which deployment group the instance is part o
6. F. Use this information to configure the log level setting
7. G. Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.
8. H. Create a CodeDeploy custom environment variable for each environmen
9. I. Then place a script into the application revision that checks this environment variable to identify which deployment group the instance is part o
10. J. Use this information to configure the log level setting
11. K. Reference this script as part of the ValidateService lifecycle hook in the appspec.yml file.
12. L. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_ID to identify which deployment group the instance is part of to configure the log level setting
13. M. Reference this script as part of the Install lifecycle hook in the appspec.yml file.

Correct Answer: B
The following are the steps that the company can take to change the log level dynamically when the deployment occurs:
✑ Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify which deployment group the instance is part of.
✑ Use this information to configure the log level settings.
✑ Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.
The DEPLOYMENT_GROUP_NAME environment variable is automatically set by CodeDeploy when the deployment is triggered. This means that the script does not need to call the metadata service or the EC2 API to identify the deployment group.
This solution is the least complex and requires the least management overhead. It also does not require different script versions for each deployment group.
The following are the reasons why the other options are not correct:
✑ Option A is incorrect because it would require tagging the Amazon EC2 instances, which would be a manual and time-consuming process.
✑ Option C is incorrect because it would require creating a custom environment variable for each environment. This would be a complex and error-prone process.
✑ Option D is incorrect because it would use
the DEPLOYMENT_GROUP_ID environment variable. However, this variable is not automatically set by CodeDeploy, so the script would need to call the metadata service or the EC2 API to get the deployment group ID. This would add complexity and overhead to the solution.

A DevOps team uses AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy to deploy an application. The application is a REST API that uses AWS Lambda functions and Amazon API Gateway Recent deployments have introduced errors that have affected many customers.
The DevOps team needs a solution that reverts to the most recent stable version of the application when an error is detected. The solution must affect the fewest customers possible.
Which solution Will meet these requirements With the MOST operational efficiency?

1. A. Set the deployment configuration in CodeDepIoy to LambdaAlIAtOnce Configure automatic rollbacks on the deployment group Create an Amazon CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway Configure the deployment group to roll back when the number of alarms meets the alarm threshold
2. B. Set the deployment configuration in CodeDeploy to LambdaCanary10Percent10Minute
3. C. Configure automatic rollbacks on the deployment group Create an Amazon CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway Configure the deployment group to roll back when the number of alarms meets the alarm threshold
4. D. Set the deployment configuration in CodeDeploy to LambdaAllAtOnce Configure manual rollbacks on the deployment grou
5. E. Create an Amazon Simple Notification Service (Amazon SNS) topc to send notifications every time a deployrnent fad
6. F. Configure the SNS topc to Invoke a new Lambda function that stops the current deployment and starts the most recent successful deployment
7. G. Set the deployment configuration in CodeDeploy to LambdaCanaryIOPercentIOMinutes Configure manual rollbacks on the deployment group Create a metric filter on an Amazon CloudWatch log group for API Gateway to monitor HTTP Bad Gateway error
8. H. Configure the metric filter to Invoke a new Lambda function that stops the current eployment and starts the most recent successful deployment

Correct Answer: B
✑ Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as it requires manual intervention to fix the errors and redeploy the application.
✑ Option B is correct because setting the deployment configuration to LambdaCanary10Percent10Minutes means that the new version of the application will be deployed to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes. This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a faulty deployment. Configuring automatic rollbacks on the deployment group also meets the requirement of reverting to the most recent stable version of the application when an error is detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a valid way to monitor the health of the application and trigger a rollback if needed.
✑ Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating an SNS topic to send notifications every time a deployment fails is not sufficient to detect errors in the application, as it does not monitor the API Gateway responses.
✑ Option D is incorrect because configuring manual rollbacks on the deployment
group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda function to perform a rollback is unnecessary and complex, as CodeDeploy already provides automatic rollback functionality.
References:
✑ AWS CodeDeploy Deployment Configurations
✑ [AWS CodeDeploy Rollbacks]
✑ Amazon CloudWatch Alarms

A company's security policies require the use of security hardened AMIS in production environments. A DevOps engineer has used EC2 Image Builder to create a pipeline that builds the AMIs on a recurring schedule.
The DevOps engineer needs to update the launch templates of the companys Auto Scaling groups. The Auto Scaling groups must use the newest AMIS during the launch of Amazon EC2 instances.
Which solution will meet these requirements with the MOST operational efficiency?

1. A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builde
2. B. Target an AWS Systems Manager Run Command document that updates the launch templates of the Auto Scaling groups with the newest AMI ID.
3. C. Configure an Amazon EventBridge rule to receive new AMI events from Image Builde
4. D. Target an AWS Lambda function that updates the launch templates of the Auto Scaling groups with the newest AMI ID.
5. E. Configure the launch template to use a value from AWS Systems Manager Parameter Store for the AMI I
6. F. Configure the Image Builder pipeline to update the Parameter Store value with the newest AMI ID.
7. G. Configure the Image Builder distribution settings to update the launch templates with the newest AMI I
8. H. Configure the Auto Scaling groups to use the newest version of the launch template.

Correct Answer: C
✑ The most operationally efficient solution is to use AWS Systems Manager Parameter Store1 to store the AMI ID and reference it in the launch template2. This way, the launch template does not need to be updated every time a new AMI is created by Image Builder. Instead, the Image Builder pipeline can update the Parameter Store value with the newest AMI ID3, and the Auto Scaling group can launch instances using the latest value from Parameter Store.
✑ The other solutions require updating the launch template or creating a new version of it every time a new AMI is created, which adds complexity and overhead. Additionally, using EventBridge rules and Lambda functions or Run Command documents introduces additional dependencies and potential points of failure.
References: 1: AWS Systems Manager Parameter Store 2: Using AWS Systems Manager parameters instead of AMI IDs in launch templates 3: Update an SSM parameter with
Image Builder