A company has an application that runs on a fleet of Amazon EC2 instances. The application requires frequent restarts. The application logs contain error messages when a restart is required. The application logs are published to a log group in Amazon CloudWatch Logs.
An Amazon CloudWatch alarm notifies an application engineer through an Amazon Simple Notification Service (Amazon SNS) topic when the logs contain a large number of restart- related error messages. The application engineer manually restarts the application on the instances after the application engineer receives a notification from the SNS topic.
A DevOps engineer needs to implement a solution to automate the application restart on the instances without restarting the instances.
Which solution will meet these requirements in the MOST operationally efficient manner?

1. A. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
2. B. Configure the SNS topic to invoke the runbook.
3. C. Create an AWS Lambda function that restarts the application on the instance
4. D. Configure the Lambda function as an event destination of the SNS topic.
5. E. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
6. F. Create an AWS Lambda function to invoke the runboo
7. G. Configure the Lambda function as an event destination of the SNS topic.
8. H. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
9. I. Configure an Amazon EventBridge rule that reacts when the CloudWatch alarm enters ALARM stat
10. J. Specify the runbook as a target of the rule.

Correct Answer: D
This solution meets the requirements in the most operationally efficient manner by automating the application restart process on the instances without restarting them. When the CloudWatch alarm enters the ALARM state, the EventBridge rule is triggered, which in turn invokes the Systems Manager Automation runbook that contains the script to restart the application on the instances.

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.
The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
2. B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
3. C. Upload the provisioned client certificate to an Amazon S3 bucke
4. D. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
5. E. Upload the provisioned client certificate private key to an Amazon S3 bucke
6. F. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
7. G. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucke
8. H. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.

Correct Answer: AE
Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private
CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.
References:
✑ Introducing mutual TLS authentication for Amazon API Gateway1.
✑ Configuring mutual TLS authentication for a REST API2.
✑ AWS Private Certificate Authority details3.
✑ AWS Certificate Manager Private Certificate Authority updates4.

A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company’s security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

1. A. Create a log group in Amazon CloudWatch Log
2. B. Configure the VPC flow log to capture accepted traffic and to send the data to the log grou
3. C. Create an Amazon CloudWatch metric filter for IP addresses on the deny lis
4. D. Create a CloudWatch alarm with the metric filter as inpu
5. E. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
6. F. Create an Amazon S3 bucket for log file
7. G. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucke
8. H. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny lis
9. I. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can acces
10. J. Create a threshold alert of 1 for successful acces
11. K. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
12. L. Create an Amazon S3 bucket for log file
13. M. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucke
14. N. Configure an Amazon OpenSearch Service cluster and domain for the log file
15. O. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluste
16. P. Schedule the Lambda function to run every 5 minute
17. Q. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
18. R. Create a log group in Amazon CloudWatch Log
19. S. Create an Amazon S3 bucket to hold query result
20. T. Configure the VPC flow log to capture all traffic and to send the data to the log grou
21. . Deploy an Amazon Athena CloudWatch connector in AWS Lambd
22. . Connect the connector to the log grou
23. . Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucke
24. . Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.

Correct Answer: A

A company has an application that includes AWS Lambda functions. The Lambda functions run Python code that is stored in an AWS CodeCommit repository. The company has recently experienced failures in the production environment because of an error in the Python code. An engineer has written unit tests for the Lambda functions to help avoid releasing any future defects into the production environment.
The company's DevOps team needs to implement a solution to integrate the unit tests into an existing AWS CodePipeline pipeline. The solution must produce reports about the unit tests for the company to view.
Which solution will meet these requirements?

1. A. Associate the CodeCommit repository with Amazon CodeGuru Reviewe
2. B. Create a new AWS CodeBuild projec
3. C. In the CodePipeline pipeline, configure a test stage that uses the new CodeBuild projec
4. D. Create a buildspec.yml file in the CodeCommit repositor
5. E. In the buildspec.yml file, define the actions to run a CodeGuru review.
6. F. Create a new AWS CodeBuild projec
7. G. In the CodePipeline pipeline, configure a test stage that uses the new CodeBuild projec
8. H. Create a CodeBuild report grou
9. I. Create a buildspec.yml file in the CodeCommit repositor
10. J. In the buildspec.yml file, define the actions to run the unit tests with an output of JUNITXML in the build phase section.Configure the test reports to be uploaded to the new CodeBuild report group.
11. K. Create a new AWS CodeArtifact repositor
12. L. Create a new AWS CodeBuild projec
13. M. In the CodePipeline pipeline, configure a test stage that uses the new CodeBuild projec
14. N. Create an appspec.yml file in the original CodeCommit repositor
15. O. In the appspec.yml file, define the actions to run the unit tests with an output of CUCUMBERJSON in the build phase sectio
16. P. Configure the tests reports to be sent to the new CodeArtifact repository.
17. Q. Create a new AWS CodeBuild projec
18. R. In the CodePipeline pipeline, configure a test stage that uses the new CodeBuild projec
19. S. Create a new Amazon S3 bucke
20. T. Create a buildspec.yml file in the CodeCommit repositor
21. . In the buildspec.yml file, define the actions to run the unit tests with an output of HTML in the phases sectio
22. . In the reports section, upload the test reports to the S3 bucket.

Correct Answer: B
The correct answer is B. Creating a new AWS CodeBuild project and configuring a test stage in the AWS CodePipeline pipeline that uses the new CodeBuild project is the best way to integrate the unit tests into the existing pipeline. Creating a CodeBuild report group and uploading the test reports to the new CodeBuild report group will produce reports about the unit tests for the company to view. Using JUNITXML as the output format for the unit tests is supported by CodeBuild and will generate a valid report. Option A is incorrect because Amazon CodeGuru Reviewer is a service that provides automated code reviews and recommendations for improving code quality and performance. It is not a tool for running unit tests or producing test reports. Therefore, option A will not meet the requirements.
Option C is incorrect because AWS CodeArtifact is a service that provides secure, scalable, and cost-effective artifact management for software development. It is not a tool for running unit tests or producing test reports. Moreover, option C uses CUCUMBERJSON as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.
Option D is incorrect because uploading the test reports to an Amazon S3 bucket is not the best way to produce reports about the unit tests for the company to view. CodeBuild has a built-in feature to create and manage test reports, which is more convenient and efficient than using S3. Furthermore, option D uses HTML as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.

A company is divided into teams Each team has an AWS account and all the accounts are in an organization in AWS Organizations. Each team must retain full administrative rights to its AWS account. Each team also must be allowed to access only AWS services that the company approves for use AWS services must gam approval through a request and approval process.
How should a DevOps engineer configure the accounts to meet these requirements?

1. A. Use AWS CloudFormation StackSets to provision IAM policies in each account to deny access to restricted AWS service
2. B. In each account configure AWS Config rules that ensure that the policies are attached to IAM principals in the account.
3. C. Use AWS Control Tower to provision the accounts into OUs within the organization Configure AWS Control Tower to enable AWS IAM identity Center (AWS Single Sign-On). Configure 1AM Identity Center to provide administrative access Include deny policies on user roles for restricted AWS services.
4. D. Place all the accounts under a new top-level OU within the organization Create an SCP that denies access to restricted AWS services Attach the SCP to the OU.
5. E. Create an SCP that allows access to only approved AWS service
6. F. Attach the SCP to the root OU of the organizatio
7. G. Remove the FullAWSAccess SCP from the root OU of the organization.

Correct Answer: C
https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html A managed prefix list is a set of one or more CIDR blocks. You can use prefix lists to make it easier to configure and maintain your security groups and route tables. https://docs.aws.amazon.com/vpc/latest/userguide/sharing-managed-prefix-lists.html With AWS Resource Access Manager (AWS RAM), the owner of a prefix list can share a prefix list with the following: Specific AWS accounts inside or outside of its organization in AWS Organizations An organizational unit inside its organization in AWS Organizations An entire organization in AWS Organizations