A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company’s security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

1. A. Create a log group in Amazon CloudWatch Log
2. B. Configure the VPC flow log to capture accepted traffic and to send the data to the log grou
3. C. Create an Amazon CloudWatch metric filter for IP addresses on the deny lis
4. D. Create a CloudWatch alarm with the metric filter as inpu
5. E. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
6. F. Create an Amazon S3 bucket for log file
7. G. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucke
8. H. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny lis
9. I. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can acces
10. J. Create a threshold alert of 1 for successful acces
11. K. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
12. L. Create an Amazon S3 bucket for log file
13. M. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucke
14. N. Configure an Amazon OpenSearch Service cluster and domain for the log file
15. O. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluste
16. P. Schedule the Lambda function to run every 5 minute
17. Q. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
18. R. Create a log group in Amazon CloudWatch Log
19. S. Create an Amazon S3 bucket to hold query results.Configure the VPC flow log to capture all traffic and to send the data to the log grou
20. T. Deploy an Amazon Athena CloudWatch connector in AWS Lambd
21. . Connect the connector to the log grou
22. . Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucke
23. . Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.

Correct Answer: A

A company has an organization in AWS Organizations. The organization includes workload accounts that contain enterprise applications. The company centrally manages users from an operations account. No users can be created in the workload accounts. The company recently added an operations team and must provide the operations team members with administrator access to each workload account.
Which combination of actions will provide this access? (Choose three.)

1. A. Create a SysAdmin role in the operations accoun
2. B. Attach the AdministratorAccess policy to the role.Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.
3. C. Create a SysAdmin role in each workload accoun
4. D. Attach the AdministratorAccess policy to the role.Modify the trust relationship to allow the sts:AssumeRole action from the operations account.
5. E. Create an Amazon Cognito identity pool in the operations accoun
6. F. Attach the SysAdmin role as an authenticated role.
7. G. In the operations account, create an IAM user for each operations team member.
8. H. In the operations account, create an IAM user group that is named SysAdmin
9. I. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload accoun
10. J. Add all operations team members to the group.
11. K. Create an Amazon Cognito user pool in the operations accoun
12. L. Create an Amazon Cognito user for each operations team member.

Correct Answer: BDE
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

A development team uses AWS CodeCommit for version control for applications. The development team uses AWS CodePipeline, AWS CodeBuild. and AWS CodeDeploy for CI/CD infrastructure. In CodeCommit, the development team recently merged pull requests that did not pass long-running tests in the code base. The development team needed to perform rollbacks to branches in the codebase, resulting in lost time and wasted effort.
A DevOps engineer must automate testing of pull requests in CodeCommit to ensure that reviewers more easily see the results of automated tests as part of the pull request review.
What should the DevOps engineer do to meet this requirement?

1. A. Create an Amazon EventBridge rule that reacts to the pullRequestStatusChanged even
2. B. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the applicatio
3. C. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
4. D. Create an Amazon EventBridge rule that reacts to the pullRequestCreated even
5. E. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the applicatio
6. F. Program the Lambda function to post the CodeBuild test results as a comment on the pull request when the test results are complete.
7. G. Create an Amazon EventBridge rule that reacts to pullRequestCreated and pullRequestSourceBranchUpdated event
8. H. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the applicatio
9. I. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
10. J. Create an Amazon EventBridge rule that reacts to the pullRequestStatusChanged even
11. K. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the applicatio
12. L. Program the Lambda function to post the CodeBuild test results as a comment on the pullrequest when the test results are complete.

Correct Answer: B
https://aws.amazon.com/es/blogs/devops/complete-ci-cd-with-aws-codecommit-aws-codebuild-aws-codedeploy

A company has an AWS CodePipeline pipeline that is configured with an Amazon S3 bucket in the eu-west-1 Region. The pipeline deploys an AWS Lambda application to the same Region. The pipeline consists of an AWS CodeBuild project build action and an AWS CloudFormation deploy action.
The CodeBuild project uses the aws cloudformation package AWS CLI command to build an artifact that contains the Lambda function code’s .zip file and the CloudFormation template. The CloudFormation deploy action references the CloudFormation template from the output artifact of the CodeBuild project’s build action.
The company wants to also deploy the Lambda application to the us-east-1 Region by using the pipeline in eu-west-1. A DevOps engineer has already updated the CodeBuild project to use the aws cloudformation package command to produce an additional output artifact for us-east-1.
Which combination of additional steps should the DevOps engineer take to meet these requirements? (Choose two.)

1. A. Modify the CloudFormation template to include a parameter for the Lambda function code’s zip file locatio
2. B. Create a new CloudFormation deploy action for us-east-1 in the pipelin
3. C. Configure the new deploy action to pass in the us-east-1 artifact location as a parameter override.
4. D. Create a new CloudFormation deploy action for us-east-1 in the pipelin
5. E. Configure the new deploy action to use the CloudFormation template from the us-east-1 output artifact.
6. F. Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have read and write access.
7. G. Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket in eu-west-1 to the S3 bucket in us-east-1.
8. H. Modify the pipeline to include the S3 bucket for us-east-1 as an artifact stor
9. I. Create a new CloudFormation deploy action for us-east-1 in the pipelin
10. J. Configure the new deploy action to use the CloudFormation template from the us-east-1 output artifact.

Correct Answer: AB
* A. The CloudFormation template should be modified to include a parameter that indicates the location of the .z ip file containing the Lambda function's code. This allows the CloudFormation deploy action to use the correct artifact depending on the region. This is critical because Lambda functions need to reference their code artifacts from the same region they are being deployed in. B. You would also need to create a new CloudFormation deploy action for the us-east-1 Region within the pipeline. This action should be configured to use the CloudFormation template from the artifact that was specifically created for us-east-1.

A company is storing 100 GB of log data in csv format in an Amazon S3 bucket SQL developers want to query this data and generate graphs to visualize it. The SQL developers also need an efficient automated way to store metadata from the csv file.
Which combination of steps will meet these requirements with the LEAST amount of effort? (Select THREE.)

1. A. Fitter the data through AWS X-Ray to visualize the data.
2. B. Filter the data through Amazon QuickSight to visualize the data.
3. C. Query the data with Amazon Athena.
4. D. Query the data with Amazon Redshift.
5. E. Use the AWS Glue Data Catalog as the persistent metadata store.
6. F. Use Amazon DynamoDB as the persistent metadata store.

Correct Answer: BCE
https://docs.aws.amazon.com/glue/latest/dg/components-overview.html