A company has developed a serverless web application that is hosted on AWS. The application consists of Amazon S3. Amazon API Gateway, several AWS Lambda functions, and an Amazon RDS for MySQL database. The company is using AWS CodeCommit to store the source code. The source code is a combination of AWS Serverless Application Model (AWS SAM) templates and Python code.
A security audit and penetration test reveal that user names and passwords for authentication to the database are hardcoded within CodeCommit repositories. A DevOps engineer must implement a solution to automatically detect and prevent hardcoded secrets.
What is the MOST secure solution that meets these requirements?

1. A. Enable Amazon CodeGuru Profile
2. B. Decorate the handler function with@with_lambda_profiler(). Manually review the recommendation repor
3. C. Write the secret to AWS Systems Manager Parameter Store as a secure strin
4. D. Update the SAM templates and the Python code to pull the secret from Parameter Store.
5. E. Associate the CodeCommit repository with Amazon CodeGuru Reviewe
6. F. Manually check the code review for any recommendation
7. G. Choose the option to protect the secre
8. H. Update the SAM templates and the Python code to pull the secret from AWS Secrets Manager.
9. I. Enable Amazon CodeGuru Profile
10. J. Decorate the handler function with@with_lambda_profiler(). Manually review the recommendation repor
11. K. Choose the option to protect the secre
12. L. Update the SAM templates and the Python code to pull the secret from AWS Secrets Manager.
13. M. Associate the CodeCommit repository with Amazon CodeGuru Reviewe
14. N. Manually check the code review for any recommendation
15. O. Write the secret to AWS Systems Manager Parameter Store as a strin
16. P. Update the SAM templates and the Python code to pull the secret from Parameter Store.

Correct Answer: B
https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-amazon-codeguru-reviewer.html

A company has a new AWS account that teams will use to deploy various applications. The teams will create many Amazon S3 buckets for application- specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account.
A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality.
Which solutions will meet these requirements? (Select TWO.)

1. A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
2. B. Exclude S3 buckets that have public read access from automated discovery.
3. C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
4. D. Configure discovery jobs to include S3 objects based on the last modified criterion.
5. E. Configure discovery jobs to include S3 objects that are tagged as production only.

Correct Answer: AD
To optimize the Macie costs for the account without compromising the account’s functionality, the DevOps engineer needs to exclude S3 buckets that do not contain sensitive data from automated discovery. S3 buckets that contain CloudTrail logs are unlikely to have sensitive data, and Macie charges for scanning and monitoring data in S3 buckets. Therefore, excluding S3 buckets that contain CloudTrail logs from automated discovery can reduce Macie costs. Similarly, configuring discovery jobs to include S3 objects based on the last modified criterion can also reduce Macie costs, as it will only scan and monitor new or updated objects, rather than all objects in the bucket.

A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

1. A. Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API call
2. B. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.
3. C. Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration change
4. D. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
5. E. Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API call
6. F. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
7. G. Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration change
8. H. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.

Correct Answer: B
https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html

A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation the DevOps engineer believes the failures are due to database changes not having fully propagated before the Lambda function is invoked
How should the DevOps engineer overcome this?

1. A. Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function.
2. B. Add an AfterAlIowTraffic hook to the AppSpec file that forces traffic to wait for any pending database changes before allowing the new version of the Lambda function to respond.
3. C. Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before deploying the new version of the Lambda function.
4. D. Add a validateService hook to the AppSpec file that inspects incoming traffic and rejects the payload if dependent services such as the database are not yet ready.

Correct Answer: A
https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-lambda

A company is implementing AWS CodePipeline to automate its testing process The company wants to be notified when the execution state fails and used the following custom event pattern in Amazon EventBridge:

Which type of events will match this event pattern?

1. A. Failed deploy and build actions across all the pipelines
2. B. All rejected or failed approval actions across all the pipelines
3. C. All the events across all pipelines
4. D. Approval actions across all the pipelines

Correct Answer: B
Action-level states in events Action state Description
STARTED The action is currently running. SUCCEEDED The action was completed successfully.
FAILED For Approval actions, the FAILED state means the action was either rejected by the reviewer or failed due to an incorrect action configuration.
CANCELED The action was canceled because the pipeline structure was updated.