A DevOps engineer manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The engineer needs to implement a deployment strategy that:
Launches a second fleet of instances with the same capacity as the original fleet. Maintains the original fleet unchanged while the second fleet is launched. Transitions traffic to the second fleet when the second fleet is fully deployed. Terminates the original fleet automatically 1 hour after transition.
Which solution will satisfy these requirements?

1. A. Use an AWS CloudFormation template with a retention policy for the ALB set to 1 hou
2. B. Update the Amazon Route 53 record to reflect the new ALB.
3. C. Use two AWS Elastic Beanstalk environments to perform a blue/green deployment from the original environment to the new on
4. D. Create an application version lifecycle policy to terminate the original environment in 1 hour.
5. E. Use AWS CodeDeploy with a deployment group configured with a blue/green deployment configuration Select the option Terminate the original instances in the deployment group with a waiting period of 1 hour.
6. F. Use AWS Elastic Beanstalk with the configuration set to Immutabl
7. G. Create an.ebextension using the Resources key that sets the deletion policy of the ALB to 1 hour, and deploy the application.

Correct Answer: C
https://docs.aws.amazon.com/codedeploy/latest/APIReference/API_BlueInstanceTerminati onOption.html
The original revision termination settings are configured to wait 1 hour after traffic has been rerouted before terminating the blue task set. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type- bluegreen.html

A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application's IAM role. The company needs to prevent any modification to the auditing application's IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?

1. A. Create an SCP that includes a Deny statement for changes to the auditing application's IAM rol
2. B. Include a condition that allows the trusted administrator IAM role to make change
3. C. Attach the SCP to the root of the organization.
4. D. Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM rol
5. E. Include a Deny statement for changes by all other IAM principal
6. F. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.
7. G. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM rol
8. H. Include a condition that allows the trusted administrator IAM role to make change
9. I. Attach the permissions boundary to the audited AWS accounts.
10. J. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM rol
11. K. Include a condition that allows the trusted administrator IAM role to make change
12. L. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.

Correct Answer: A
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps. html?icmpid=docs_orgs_console
SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.

A company recently launched multiple applications that use Application Load Balancers. Application response time often slows down when the applications experience problems A DevOps engineer needs to Implement a monitoring solution that alerts the company when the applications begin to perform slowly The DevOps engineer creates an Amazon Simple Notification Semce (Amazon SNS) topic and subscribe the company's email address to the topic
What should the DevOps engineer do next to meet the requirements?

1. A. Create an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval Configure the Lambda function to publish a notification to the SNS topic when the applications return errors.
2. B. Create an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interva
3. C. Configure the canary to use the SNS topic when the applications return errors.
4. D. Create an Amazon CloudWatch alarm that uses the AWS/AppljcabonELB namespace RequestCountPerTarget metric Configure the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports Configure the CloudWatch alarm to use the SNS topic.
5. E. Create an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric Configure the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports Configure the CloudWatch alarm to use the SNS topic

Correct Answer: B
✑ Option A is incorrect because creating an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval is not a valid solution. EventBridge rules can only trigger Lambda functions based on events, not on time intervals. Moreover, querying the applications on a 5-minute interval might incur unnecessary costs and network overhead, and might not detect performance issues in real time.
✑ Option B is correct because creating an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval is a valid solution. CloudWatch Synthetics canaries are configurable scripts that monitor endpoints and APIs by simulating customer behavior. Canaries can run as often as once per minute, and can measure the latency and availability of the
applications. Canaries can also send notifications to an Amazon SNS topic when they detect errors or performance issues1.
✑ Option C is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution. The RequestCountPerTarget metric measures the number of requests completed or connections made per target in a target group2. This metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports is not a valid way to measure the application performance, as it depends on the application design and implementation.
✑ Option D is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution, for the same reason as option C. The RequestCountPerTarget metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports is not a valid way to measure the application performance, as it does not account for variability or outliers in the response time distribution.
References:
✑ 1: Using synthetic monitoring
✑ 2: Application Load Balancer metrics

A company wants to use AWS development tools to replace its current bash deployment scripts. The company currently deploys a LAMP application to a group of Amazon EC2 instances behind an Application Load Balancer (ALB). During the deployments, the company unit tests the committed application, stops and starts services, unregisters and re-registers instances with the load balancer, and updates file permissions. The company wants to maintain the same deployment functionality through the shift to using AWS
services.
Which solution will meet these requirements?

1. A. Use AWS CodeBuild to test the applicatio
2. B. Use bash scripts invoked by AWS CodeDeploy's appspec.yml file to restart services, and deregister and register instances with the AL
3. C. Use the appspec.yml file to update file permissions without a custom script.
4. D. Use AWS CodePipeline to move the application from the AWS CodeCommit repository to AWS CodeDeplo
5. E. Use CodeDeploy's deployment group to test the application, unregister and re-register instances with the AL
6. F. and restart service
7. G. Use the appspec.yml file to update file permissions without a custom script.
8. H. Use AWS CodePipeline to move the application source code from the AWS CodeCommit repository to AWS CodeDeplo
9. I. Use CodeDeploy to test the applicatio
10. J. Use CodeDeploy's appspec.yml file to restart services and update permissions without a custom scrip
11. K. Use AWS CodeBuild to unregister and re-register instances with the ALB.
12. L. Use AWS CodePipeline to trigger AWS CodeBuild to test the applicatio
13. M. Use bash scripts invoked by AWS CodeDeploy's appspec.yml file to restart service
14. N. Unregister and re-register the instances in the AWS CodeDeploy deployment group with the AL
15. O. Update the appspec.yml file to update file permissions without a custom script.

Correct Answer: D
https://aws.amazon.com/blogs/devops/how-to-test-and-debug-aws-codedeploy-locally-before-you-ship-your- code/#:~:text=You%20can%20test%20application%20code,local%20server%20or%20EC2
%20instance.

A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint. Customers have been complaining about high response latencies, which the development team has verified using the API Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without introducing additional latency.
Which actions should be taken to accomplish this? (Choose two.)

1. A. Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch.
2. B. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and upload those segments to X-Ray during each request.
3. C. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to X-Ray.
4. D. Modify the on-premises application to send log information back to API Gateway with each request.
5. E. Modify the on-premises application to calculate and upload statistical data relevant to the API service requests to CloudWatch metrics.

Correct Answer: AC
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-premise.html https://docs.aws.amazon.com/xray/latest/devguide/xray-api-sendingdata.html