A developer is creating an AWS Lambda function that searches for Items from an Amazon DynamoDQ table that contains customer contact information. The DynamoDB table items have the customers as the partition and additional properties such as customer -type, name, and job_title.
The Lambda function runs whenever a user types a new character into the customer_type text Input. The developer wants to search to return partial matches of all tne email_address property of a particular customer type. The developer does not want to recreate the DynamoDB table.
What should the developer do to meet these requirements?

1. A. Add a global secondary index (GSI) to the DynamoDB table with customer-type input, as the partition key and email_address as the sort ke
2. B. Perform a query operation on the GSI by using the begins with key condition expression with the email_address property.
3. C. Add a global secondary index (GSI) to the DynamoDB table with email_address as the partition key and customer_type as the sort ke
4. D. Perform a query operation on the GSI by using the begine_with key condition expresses with the emai
5. E. Address property.
6. F. Add a local secondary index (LSI) to the DynemoOB table with customer_type as the partition Key and email_address as the sort Ke
7. G. Perform a quick operation on the LSI by using the begine_with Key condition expression with the email-address property.
8. H. Add a local secondary index (LSI) to the DynamoDB table with job-title as the partition key and email_address as the sort ke
9. I. Perform a query operation on the LSI by using the begins_with key condition expression with the email_address property.

Correct Answer: A
The solution that will meet the requirements is to add a global secondary index (GSI) to the DynamoDB table with customer_type as the partition key and email_address as the sort key. Perform a query operation on the GSI by using the begins_with key condition expression with the email_address property. This way, the developer can search for partial matches of the email_address property of a particular customer type without recreating the DynamoDB table. The other options either involve using a local secondary index (LSI), which requires recreating the table, or using a different partition key, which does not allow filtering by customer_type.
Reference: Using Global Secondary Indexes in DynamoDB

An application that runs on AWS receives messages from an Amazon Simple Queue Service (Amazon SQS) queue and processes the messages in batches. The
application sends the data to another SQS queue to be consumed by another legacy application. The legacy system can take up to 5 minutes to process some transaction data.
A developer wants to ensure that there are no out-of-order updates in the legacy system. The developer cannot alter the behavior of the legacy system.
Which solution will meet these requirements?

1. A. Use an SQS FIFO queu
2. B. Configure the visibility timeout value.
3. C. Use an SQS standard queue with a SendMessageBatchRequestEntry data typ
4. D. Configure the DelaySeconds values.
5. E. Use an SQS standard queue with a SendMessageBatchRequestEntry data typ
6. F. Configure the visibility timeout value.
7. G. Use an SQS FIFO queu
8. H. Configure the DelaySeconds value.

Correct Answer: A
✑ An SQS FIFO queue is a type of queue that preserves the order of messages and ensures that each message is delivered and processed only once1. This is suitable for the scenario where the developer wants to ensure that there are no out-of-order updates in the legacy system.
✑ The visibility timeout value is the amount of time that a message is invisible in the queue after a consumer receives it2. This prevents other consumers from processing the same message simultaneously. If the consumer does not delete the message before the visibility timeout expires, the message becomes visible again and another consumer can receive it2.
✑ In this scenario, the developer needs to configure the visibility timeout value to be longer than the maximum processing time of the legacy system, which is 5 minutes. This will ensure that the message remains invisible in the queue until the legacy system finishes processing it and deletes it. This will prevent duplicate or out-of-order processing of messages by the legacy system.

A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in.
What is the MOST operationally efficient solution that meets this requirement?

1. A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notificatio
2. B. Add an Amazon API Gateway API to invoke the functio
3. C. Call the API from the client side when login confirmation is received.
4. D. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notificatio
5. E. Add an Amazon Cognito post authentication Lambda trigger for the function.
6. F. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notificatio
7. G. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status.
8. H. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehos
9. I. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.

Correct Answer: B
Amazon Cognito user pools support Lambda triggers, which are custom functions that can be executed at various stages of the user pool workflow. A post authentication Lambda trigger can be used to perform custom actions after a user is authenticated, such as sending an email notification. Amazon SES is a cloud-based email sending service that can be used to send transactional or marketing emails. A Lambda function can use the Amazon SES API to send an email to the user’s email address after the user logs in successfully. Reference: Post authentication Lambda trigger

A company needs to deploy all its cloud resources by using AWS CloudFormation templates A developer must create an Amazon Simple Notification Service (Amazon SNS) automatic notification to help enforce this rule. The developer creates an SNS topic and subscribes the email address of the company's security team to the SNS topic.
The security team must receive a notification immediately if an 1AM role is created without the use of CloudFormation.
Which solution will meet this requirement?

1. A. Create an AWS Lambda function to filter events from CloudTrail if a role was created without CloudFormation Configure the Lambda function to publish to the SNS topi
2. B. Create an Amazon EventBridge schedule to invoke the Lambda function every 15 minutes
3. C. Create an AWS Fargate task in Amazon Elastic Container Service (Amazon ECS) to filter events from CloudTrail if a role was created without CloudFormation Configure the Fargate task to publish to the SNS topic Create an Amazon EventBridge schedule to run the Fargate task every 15 minutes
4. D. Launch an Amazon EC2 instance that includes a script to filter events from CloudTrail if a role was created without CloudFormatio
5. E. Configure the script to publish to the SNS topi
6. F. Create a cron job to run the script on the EC2 instance every 15 minutes.
7. G. Create an Amazon EventBridge rule to filter events from CloudTrail if a role was created without CloudFormation Specify the SNS topic as the target of the EventBridge rule.

Correct Answer: D
Creating an Amazon EventBridge rule is the most efficient and scalable way to monitor and react to events from CloudTrail, such as the creation of an IAM role without CloudFormation. EventBridge allows you to specify a filter pattern to match the events you are interested in, and then specify an SNS topic as the target to send notifications. This solution does not require any additional resources or code, and it can trigger notifications in near real-time. The other solutions involve creating and managing additional resources, such as Lambda functions, Fargate tasks, or EC2 instances, and they rely on polling CloudTrail events every 15 minutes, which can introduce delays and increase
costs. References
✑ Using Amazon EventBridge rules to process AWS CloudTrail events
✑ Using AWS CloudFormation to create and manage AWS Batch resources
✑ How to use AWS CloudFormation to configure auto scaling for Amazon Cognito and AWS AppSync
✑ Using AWS CloudFormation to automate the creation of AWS WAF web ACLs, rules, and conditions

An organization is using Amazon CloudFront to ensure that its users experience low- latency access to its web application. The organization has identified a need to encrypt all traffic between users and CloudFront, and all traffic between CloudFront and the web application.
How can these requirements be met? (Select TWO)

1. A. Use AWS KMS t0 encrypt traffic between cloudFront and the web application.
2. B. Set the Origin Protocol Policy to "HTTPS Only".
3. C. Set the Origin’s HTTP Port to 443.
4. D. Set the Viewer Protocol Policy to "HTTPS Only" or Redirect HTTP to HTTPS"
5. E. Enable the CloudFront option Restrict Viewer Access.

Correct Answer: BD
This solution will meet the requirements by ensuring that all traffic between users and CloudFront, and all traffic between CloudFront and the web application, are encrypted using HTTPS protocol. The Origin Protocol Policy determines how CloudFront communicates with the origin server (the web application), and setting it to “HTTPS Only” will force CloudFront to use HTTPS for every request to the origin server. The Viewer Protocol Policy determines how CloudFront responds to HTTP or HTTPS requests from users, and setting it to “HTTPS Only” or “Redirect HTTP to HTTPS” will force CloudFront to use HTTPS for every response to users. Option A is not optimal because it will use AWS KMS to encrypt traffic between CloudFront and the web application, which is not necessary or supported by CloudFront. Option C is not optimal because it will set the origin’s HTTP port to 443, which is incorrect as port 443 is used for HTTPS protocol, not HTTP protocol. Option E is not optimal because it will enable the CloudFront option Restrict Viewer Access, which is used for controlling access to private content using signed URLs or signed cookies, not for encrypting traffic.
References: [Using HTTPS with CloudFront], [Restricting Access to Amazon S3 Content by Using an Origin Access Identity]