Amazon Practice Questions, Discussions & Exam Topics by our Authors
A company wants to decrease the time it takes to develop new features. The company uses AWS CodeBuild and AWS CodeDeploy to build and deploy its applications. The company uses AWS CodePipeline to deploy each microservice with its own CI/CD pipeline.
The company needs more visibility into the average time between the release of new feat...
Let's analyze each option and determine which one provides the best solution for the company's needs with the least configuration effort:
A) Program an AWS Lambda function that creates Amazon CloudWatch custom metrics with information about successful runs and failed runs for each pipeline. Create an Amazon EventBridge rule to invoke the Lambda function every 5 minutes. Use the metrics to build a CloudWatch dashboard.
- Rejected: This option introduces unnecessary complexity. Creating custom metrics every 5 minutes via EventBridge and Lambda adds overhead without being the most efficient solution. Additionally, frequent updates every 5 minutes are not ideal if the company needs to track the status of deployments right after they occur (for both successful and failed runs). The solution could be more real-time and straightforward.
B) Program an AWS Lambda function that creates Amazon CloudWatch custom metrics with information about successful runs and failed runs for each pipeline. Create an Amazon EventBridge rule to invoke the Lambda function after every successful run and after every failed run. Use the metrics to build a CloudWatch dashboard.
- Selected: This option is efficient and provides real-time insights into deployment success and failure. By using EventBridge to invoke the Lambda function after every successful and failed run, the company can track the metrics immediately after each deployment. The Lambda function can directly create custom metrics in CloudWatch, which is ideal for real-time monitoring. Building a CloudWatch dashboard for these metrics will give the required visibility without additional overhead.
C) Program an AWS Lambda function that writes information about successful runs ...
Author: Sara · Last updated May 17, 2026
A company has developed a static website hosted on an Amazon S3 bucket. The website is deployed using AWS CloudFormation. The CloudFormation template defines an S3 bucket and a custom resource that copies content into the bucket from a source location.
The company has decided that it needs to move the website to a new location, so the existing CloudFormation stack must be deleted and re-created. However, CloudFormation r...
Let's analyze the options to determine the most likely cause of the issue and the best way to mitigate the problem for future versions of the website:
A) Deletion has failed because the S3 bucket has an active website configuration. Modify the CloudFormation template to remove the WebsiteConfiguration property from the S3 bucket resource.
- Rejected: The issue with deleting the stack is not related to the website configuration itself. Even if the S3 bucket has an active website configuration, that wouldn't prevent CloudFormation from deleting the bucket. CloudFormation can successfully delete an S3 bucket with an active website configuration as long as the bucket is empty. The real issue is more likely to be with the content inside the bucket or the deletion policy, not the website configuration.
B) Deletion has failed because the S3 bucket is not empty. Modify the custom resource's AWS Lambda function code to recursively empty the bucket when RequestType is Delete.
- Selected: This is the most likely cause. If the S3 bucket is not empty, CloudFormation will fail to delete it. The custom resource (likely an AWS Lambda function) is responsible for copying content into the bucket, but it does not handle removing content when the stack is being deleted. To fix this, the custom resource’s Lambda function should be modified to empty the S3 bucket when the `RequestType` is `Delete`. This ensures that the bucket can be deleted cleanly as p...
Author: SilverBear · Last updated May 17, 2026
A company uses Amazon EC2 as its primary compute platform. A DevOps team wants to audit the company's EC2 instances to check whether any prohibited applications have been installed on the EC2 instance...
To audit EC2 instances for prohibited applications efficiently, the primary goals are to minimize operational overhead while ensuring thorough checks. Let’s examine the options:
Option A:
Configure AWS Systems Manager on each instance. Use AWS Systems Manager Inventory. Use Systems Manager resource data sync to synchronize and store findings in an Amazon S3 bucket. Create an AWS Lambda function that runs when new objects are added to the S3 bucket. Configure the Lambda function to identify prohibited applications.
- Pros:
- AWS Systems Manager Inventory is an efficient way to gather detailed software inventory data across EC2 instances.
- Using an S3 bucket to store the findings allows centralized storage.
- Lambda automation for analyzing findings offers flexibility and scalability.
- Cons:
- Involves multiple steps and components (S3, Lambda, resource data sync) which adds complexity. However, the automation provided by Lambda is a key advantage.
- Although scalable, operational overhead is moderate since it involves configuring event-driven Lambda functions and handling data storage.
- Best use case: For organizations requiring automated, scalable analysis after inventory syncs.
Option B:
Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Create AWS Config rules that monitor changes from Systems Manager Inventory to identify prohibited applications.
- Pros:
- AWS Config rules allow for continuous monitoring and compliance checks in near real-time.
- Directly integrates with Systems Manager Inventory for automated checks on EC2 instances.
- Cons:
- AWS Config can have additional setup requirements, such as configuring rules for each possible prohibited application scenario, which could be more granular but also time-consuming.
- AWS Config also incurs additional costs.
- Best use case: If you are looking to enforce ongoing compliance and configuration drift detection in your environment, but it may not be as flexible or efficient for the specific task of identifying prohibited applications.
Option C:
Confi...
Author: Elizabeth · Last updated May 17, 2026
A company has an event-driven JavaScript application. The application uses decoupled AWS managed services that publish, consume, and route events. During application testing, events are not delivered to the target that is specified by an Amazon EventBridge rule.
A DevOps team must provide application testers with additional functionality to view, troubleshoot, and prevent...
To meet the requirements of providing application testers with additional functionality to view, troubleshoot, and prevent the loss of events without redeploying the application, let's carefully analyze the given options and the best course of action:
Option A: Launch AWS Device Farm with a standard test environment and project to run a specific build of the application.
- Rejection Reason: AWS Device Farm is primarily used for mobile and web application testing, including testing of app behavior across multiple devices and browsers. This is not relevant to troubleshooting event delivery or routing issues in an event-driven application using EventBridge.
- Best use case: Suitable for testing mobile apps, not for event-driven application debugging.
Option B: Create an Amazon S3 bucket. Enable AWS CloudTrail. Create a CloudTrail trail that specifies the S3 bucket as the storage location.
- Rejection Reason: CloudTrail logs API calls and does not directly assist with troubleshooting event delivery or routing issues for EventBridge events. While CloudTrail can track API activities, it won’t capture event content or provide visibility into EventBridge’s event handling, making it insufficient for this specific need.
- Best use case: Useful for auditing API calls, but not for troubleshooting events in EventBridge.
Option C: Configure the EventBridge rule to use an Amazon Simple Queue Service (Amazon SQS) standard queue as a dead-letter queue.
- Selection Reason: Configuring a dead-letter queue (DLQ) is essential for handling events that fail to be delivered. By using an Amazon SQS standard queue as a DLQ, undelivered events can be captured, stored, and analyzed later. This will allow testers to see if events were not successfully routed, providing an effective mechanism to prevent event loss.
- Best use case: Ideal for ensuring that events that cannot be delivered are captured and available for troubleshooting.
Option D: Configure the EventBridge rule to use an Amazon Simple Queue Service (Amazon SQS) FIFO queue as a ...
Author: Aria · Last updated May 17, 2026
A company is migrating its container-based workloads to an AWS Organizations multi-account environment. The environment consists of application workload accounts that the company uses to deploy and run the containerized workloads. The company has also provisioned a shared services account for shared workloads in the organization.
The company must follow strict compliance regulations. All container images must receive security scanning before they are deployed to any environment. Images can be consumed by downstream deployment mechanisms after the images pass a scan with no critical vulnerabilities. Pre-scan and post-scan images ...
To meet the requirements of centralizing the process of securing and managing container images with the least administrative overhead, let’s evaluate the options carefully:
Option A: Create Amazon Elastic Container Registry (Amazon ECR) repositories in the shared services account: one repository for each pre-scan image and one repository for each post-scan image. Configure Amazon ECR image scanning to run on new image pushes to the pre-scan repositories. Use resource-based policies to grant the organization write access to the pre-scan repositories and read access to the post-scan repositories.
- Selection Reason: This solution centralizes the repositories in the shared services account, which simplifies management and visibility. It ensures that only post-scan images are used in deployments, as the post-scan repositories are isolated from pre-scan images. Using resource-based policies provides access control to the pre-scan and post-scan repositories, enabling strict compliance.
- Best use case: Centralized control and simplified permissions with a clear distinction between pre-scan and post-scan images. This meets the security and compliance requirement with minimal administrative overhead.
Option B: Create pre-scan Amazon Elastic Container Registry (Amazon ECR) repositories in each account that publishes container images. Create repositories for post-scan images in the shared services account. Configure Amazon ECR image scanning to run on new image pushes to the pre-scan repositories. Use resource-based policies to grant the organization read access to the post-scan repositories.
- Rejection Reason: While this option centralizes the post-scan repositories in the shared services account, it requires the creation and management of pre-scan repositories in each account. This increases administrative overhead as each account must manage its own pre-scan repository. This also complicates the management of permissions across multiple accounts.
- Best use case: Useful when the organization has strict account isolation needs for pre-scan images, but not ideal for minimizing administrative overhead.
Option C: Configure image replication for each image from the image's pre-scan repository to the image's post-scan repository.
- Rejection Reason: Image replication would introduce additional complexity and overhead. While this ensures pre-scan images are copi...
Author: Emily · Last updated May 17, 2026
A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.
A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM ...
To determine the root cause of the "Access Denied (403 Forbidden)" error when the Kubernetes service account attempts to retrieve secrets from AWS Secrets Manager, let’s break down the options:
Option A: The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.
- Rejection Reason: The IAM role attached to the EKS cluster typically doesn't need direct access to the secrets from Secrets Manager. Instead, it's the Kubernetes service account (which assumes an IAM role) that requires the necessary permissions. The error likely stems from an issue with the permissions of the IAM role assumed by the service account, not the EKS cluster IAM role.
- Best use case: This option would be applicable if the EKS cluster role directly accessed Secrets Manager, but in this case, the access should be granted to the service account's IAM role.
Option B: The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.
- Selection Reason: This is the most likely cause of the issue. The IAM role assumed by the Kubernetes service account needs permissions to use the customer managed KMS key that encrypts the secrets in AWS Secrets Manager. If the key policy for the KMS key does not explicitly grant this IAM role the `kms:Decrypt` permission, it would result in an access denied error when trying to decrypt the secrets.
- Best use case: This directly addresses the issue because the secrets are encrypted with a KMS key, and the service account’s IAM role must be permitted to use ...
Author: Olivia Johnson · Last updated May 17, 2026
A company is migrating its product development teams from an on-premises data center to a hybrid environment. The new environment will add four AWS Regions and will give the developers the ability to use the Region that is geographically closest to them.
All the development teams use a shared set of Linux applications. The on-premises data center stores the applications on a NetApp ONTAP storage device. The storage volume is mounted read-only on the development on-premises VMs. The company updates the applications on the shared volume once a week.
A DevOps engineer needs to replicate t...
The goal of this solution is to replicate data to multiple AWS Regions in a way that ensures it is always up to date, deduplicated, and not dependent on the availability of the on-premises storage device. Let’s break down each option to determine which best meets the requirements:
Option A: Create an Amazon S3 File Gateway in the on-premises data center. Create S3 buckets in each Region. Set up a cron job to copy the data from the storage device to the S3 File Gateway. Set up S3 Cross-Region Replication (CRR) to the S3 buckets in each Region.
- Rejection Reason: S3 File Gateway allows on-premises applications to access data stored in S3, but this solution introduces unnecessary complexity by relying on cron jobs to manage data replication from the storage device to S3. S3 Cross-Region Replication (CRR) would replicate the data across Regions, but it’s not optimized for frequent updates with deduplication. Also, data consistency and sync would not be as tightly controlled or real-time as needed.
- Best use case: Suitable for static data that doesn’t change frequently, but not ideal for applications that need consistent updates and deduplication across multiple Regions.
Option B: Create an Amazon FSx File Gateway in one Region. Create file servers in Amazon FSx for Windows File Server in each Region. Set up a cron job to copy the data from the storage device to the FSx File Gateway.
- Rejection Reason: Amazon FSx File Gateway is designed to integrate with FSx for Windows File Server, but the use of a cron job and copying data to a single FSx File Gateway does not address the requirement of replicating data across multiple Regions. FSx for Windows File Server is more suitable for Windows-based workloads, and it lacks the native replication capabilities needed to meet the requirement.
- Best use case: Good for Windows environments where you need file sharing, but not suited for multi-region Linux-based applications and real-time updates.
Option C: Create Multi-AZ Amazon FSx for NetApp ONTAP instances and volumes in each Region. Configur...
Author: Leah · Last updated May 17, 2026
A company has an application that stores data that includes personally identifiable information (PII) in an Amazon S3 bucket. All data is encrypted with AWS Key Management Service (AWS KMS) customer managed keys. All AWS resources are deployed from an AWS CloudFormation template.
A DevOps engineer needs to set up a development environment for the application in a different AWS account. The data in the development environment's S3 bucket needs to be updated once a week from the production environment's S3 bucket.
The company must not move PII from the produc...
Let's break down the options and explain why certain steps would work and others wouldn’t. The key factors here are:
- PII must be anonymized before moving between the production and development environments.
- Encryption must be handled with different KMS keys in each account.
- Data must be copied weekly, so automation is needed.
- Anonymization must happen before moving the data.
Option A: Activate Amazon Macie on the S3 bucket in the production account. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII before copying files to the S3 bucket in the development account. Give the state machine tasks decrypt permissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account.
- Analysis: Amazon Macie can detect PII, and the proposed solution uses AWS Step Functions to automate the process of anonymizing the PII (via a discovery job) before copying to the development account. This is a valid approach to ensure PII is anonymized.
- Permissions: Decrypt and encrypt permissions on the respective KMS keys are handled correctly.
- Why it's selected: This is an appropriate way to handle the PII redaction before moving data, and it leverages managed services (Macie, Step Functions) that can scale to the task.
Option B: Set up S3 replication between the production S3 bucket and the development S3 bucket. Activate Amazon Macie on the development S3 bucket. Create an AWS Step Functions state machine to initiate a discovery job and redact all PII as the files are copied to the development S3 bucket. Give the state machine tasks encrypt and decrypt permissions on the KMS key in the development account.
- Analysis: While S3 replication helps copy the data, it does not allow you to alter the data as it is being copied. Anonymizing PII during the copy process would not work with this approach.
- Permissions: The permissions to the KMS key in the development account are correct, but the core issue is the inability to redact PII during replication.
- Why...
Author: Rahul · Last updated May 17, 2026
A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host its machine learning (ML) application. As the ML model and the container image size grow, the time that new pods take to start up has increased to several minutes.
A DevOps engineer needs to reduce the startup time to seconds. The solution must also reduce the startup time to seconds when the pod runs on nodes that were recently added to the cluster.
The DevOps engineer creates an Amazon EventBridge rule that invokes an automation in AWS Systems Manager. The automation prefetches the container images from an Ama...
To reduce pod startup time, the DevOps engineer needs to ensure that container images are preloaded onto the worker nodes before the pods attempt to start. This will avoid the need to pull the images from Amazon Elastic Container Registry (ECR) during pod startup, thus significantly reducing the time it takes for the pods to become ready.
Let's analyze each option:
Option A: Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's control plane nodes. Create a Systems Manager State Manager association that uses the control plane nodes' tags to prefetch corresponding container images.
- Analysis: The control plane nodes in Amazon EKS are managed by AWS and are not directly responsible for running application pods. Prefetching images to the control plane would not benefit the actual pods or their startup times. Thus, focusing on the control plane nodes is not relevant for improving pod startup time.
- Why it's rejected: The solution should focus on the worker nodes, where the application pods run, not the control plane nodes.
Option B: Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's nodes. Create a Systems Manager State Manager association that uses the nodes' machine size to prefetch corresponding container images.
- Analysis: This option suggests using the machine size (e.g., instance type) to trigger the prefetching of container images. While machine size can be relevant for determining resource requirements, it doesn't directly address the need to prefetch images based on the pods that will run on the nodes. The approach of using machine size isn't the most efficient or practical in terms of ensuring images are prefetched correctly for the application...
Author: ThunderBear · Last updated May 17, 2026
A company's application has an API that retrieves workload metrics. The company needs to audit, analyze, and visualize these metrics from the application to detect issues at scale...
Let's go step by step and evaluate the options based on the requirement to audit, analyze, and visualize workload metrics.
Option A: Configure an Amazon EventBridge schedule to invoke an AWS Lambda function that calls the API to retrieve workload metrics. Store the workload metric data in an Amazon S3 bucket.
- Analysis: The idea here is to use Amazon EventBridge to schedule periodic invocations of an AWS Lambda function to retrieve workload metrics from an API and store them in an Amazon S3 bucket. This approach ensures the metrics are gathered regularly and stored for further analysis.
- Why it's selected: S3 is a suitable storage solution for large datasets like metrics because it's scalable, cost-effective, and allows easy integration with analytics tools like Athena.
- Why other options are rejected: Storing metrics in S3 is a straightforward, flexible approach for later analysis.
Option B: Configure an Amazon EventBridge schedule to invoke an AWS Lambda function that calls the API to retrieve workload metrics. Store the workload metric data in an Amazon DynamoDB table that has a DynamoDB stream enabled.
- Analysis: This option suggests storing workload metrics in Amazon DynamoDB with a stream enabled. While DynamoDB is a fast and scalable database, using it for metrics storage is not the most efficient approach because:
- DynamoDB is more optimized for transactional data and fast key-value access.
- Metrics typically benefit from a more cost-efficient and scalable storage solution like S3.
- Streams add complexity and might not be necessary for this use case if we're just collecting and analyzing the data.
- Why it's rejected: DynamoDB isn't ideal for storing large volumes of metrics data and visualizing it, especially when S3 can serve this purpose more effectively.
Option C: Create an AWS Glue crawler to catalog the workload metric data in the Amazon S3 bucket. Create views in Amazon Athena for the cataloged data.
- Analysis: AWS Glue crawlers can automatically detect and catalog the structure of data stored in S3. By creating views in Amazon Athena, which is a serverless query service, you can easily run SQL queries against the stored metrics. This is a very efficient way to analyze large datasets stored in S3.
- Why it's selected: Using AWS Glue to catalog the data and Athena for querying makes it easy to perform analysis on the stored workload metrics. This step is...
Author: Sara · Last updated May 17, 2026
A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS clu...
Let's evaluate each option in terms of fixing the issue where EC2 instances in an Amazon EKS cluster are unable to mount an Amazon Elastic File System (Amazon EFS).
Option A: Switch the EKS nodes from Amazon EC2 to AWS Fargate.
- Analysis: AWS Fargate is a serverless compute engine for containers that abstracts away the underlying EC2 instances. While this might be an alternative approach in some cases, Fargate does not currently support EFS as a file system for container workloads directly. The problem here involves mounting EFS on EC2 instances, so switching to Fargate is unlikely to help.
- Why it's rejected: This option doesn't address the issue of EFS mounting on EC2 instances, which is the core requirement here.
Option B: Add an inbound rule to the EFS file system's security group to allow NFS traffic from the EKS cluster.
- Analysis: NFS traffic (Network File System) is required for the EC2 instances to mount the EFS file system. If the security group attached to the EFS file system doesn't allow inbound NFS traffic from the EC2 instances (or the EKS worker nodes), the EC2 instances will not be able to mount the EFS file system.
- Why it's selected: Adding the correct inbound rule to the EFS security group to allow NFS traffic (usually on port 2049) from the EC2 instances running in the EKS cluster will resolve the issue.
Option C: Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system.
- Analysis: The Amazon EFS Container Storage Interface (CSI) driver requires appropriate IAM permissions to interact with the EFS file system. This IAM role must be assigned to the nodes or services that need to mount the file system, and it grants the CSI driver the necessary permissions.
- Why it's selected: This step is essential because the EFS CSI driver needs permissions to manage the mount and unmount operations, so creating the required IAM role and granting it appropriate permissions ensures the EFS driver can interact with the file system.
Option D: Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes.
- Analysis: AWS DataSync is a managed service...
Author: Joseph · Last updated May 17, 2026
A company deploys an application on on-premises devices in the company's on-premises data center. The company uses an AWS Direct Connect connection between the data center and the company's AWS account. During initial setup of the on-premises devices and during application updates, the application needs to retrieve configuration files from an Amazon Elastic File System (Amazon EFS) file system.
All traffic from the on-premises devices to Amazon EFS must remain private and encrypted. The on-premises devices must follow the principle of lea...
Let's go through each option and evaluate them based on the requirements:
Requirement Summary:
- Private and encrypted traffic: The traffic between the on-premises devices and Amazon EFS must remain private and encrypted.
- Least privilege: The devices should follow the principle of least privilege for AWS access.
- Revoke access from a single device: The ability to revoke access from an individual device without impacting others.
---
Option A: Create an IAM user that has an access key and a secret key for each device. Attach the AmazonElasticFileSystemFullAccess policy to all IAM users. Configure the AWS CLI on the on-premises devices to use the IAM user's access key and secret key.
- Analysis: This option involves creating IAM users with access keys for each device. While this could provide access to the EFS, it violates the principle of least privilege. AmazonElasticFileSystemFullAccess gives too broad permissions, including the ability to perform administrative tasks, which is not ideal for restricting access.
- Why it's rejected: The AmazonElasticFileSystemFullAccess policy is too permissive. Additionally, managing access through IAM users with access keys would not be an efficient or secure way to control access and revoke it on a per-device basis.
Option B: Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trusts IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials.
- Analysis: This approach uses IAM Roles Anywhere, which allows on-premises devices to use certificates to authenticate and obtain temporary credentials for accessing AWS resources. This method follows the least privilege principle because the devices only get the permissions necessary to access the EFS file system. Each device can be managed individually, and the access can be revoked by deleting the profile or the certificate.
- Why it's selected: This solution provides fine-grained access control and follows best practices for managing credentials. It also allows access to be revoked on a per-device basis without affecting others.
Option C: Create an IAM user that has an access key and a secret key for all devices. Attach the AmazonElasticFileS...
Author: Zara · Last updated May 17, 2026
A DevOps engineer is setting up an Amazon Elastic Container Service (Amazon ECS) blue/green deployment for an application by using AWS CodeDeploy and AWS CloudFormation. During the deployment window, the application must be highly available and CodeDeploy must shift 10% of traffic to a new version of the application every minute ...
When setting up a blue/green deployment for Amazon ECS with AWS CodeDeploy and CloudFormation, the DevOps engineer needs to meet specific requirements such as traffic shifting in increments of 10% every minute while ensuring high availability during the deployment window. Here's a breakdown of each option and the reasoning behind selecting the correct one.
A) Add an AppSpec file with the CodeDeployDefault.ECSLinear10PercentEvery1Minute deployment configuration.
- Explanation: This option specifies the `CodeDeployDefault.ECSLinear10PercentEvery1Minute` deployment configuration, which shifts 10% of the traffic every minute. However, this configuration is not associated with AWS CloudFormation directly and would require using an AppSpec file in the ECS task definition.
- Reason Rejected: While this configuration is correct in terms of traffic shifting (10% per minute), the task of adding deployment configurations in a CloudFormation template needs to be handled with specific AWS resources, such as the `AWS::CodeDeploy::DeploymentGroup` and its `BlueGreen` parameters. This option does not directly fit into the CloudFormation model.
B) Add the AWS::CodeDeployBlueGreen transform and the AWS::CodeDeploy::BlueGreen hook parameter with the CodeDeployDefault.ECSLinear10PercentEvery1Minute deployment configuration.
- Explanation: This option adds the `AWS::CodeDeployBlueGreen` transform, which is specifically designed to define a blue/green deployment using AWS CloudFormation. Additionally, the `AWS::CodeDeploy::BlueGreen` hook and deployment configuration `CodeDeployDefault.ECSLinear10PercentEvery1Minute` are specified. This configuration ensures a gradual traffic shift of 10% every minute.
- Reason Selected: This option fits the requirements ...
Author: Benjamin · Last updated May 17, 2026
A company uses an organization in AWS Organizations to manage its AWS accounts. The company's DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts.
The Lambda function runs in the organization's management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda fu...
In this scenario, the goal is to move a Lambda function from the management account to a dedicated AWS account while ensuring that the Lambda function has the ability to create new AWS accounts using the Organizations API. The function needs to maintain the permission to create new AWS accounts only in AWS Organizations before deployment.
Let’s evaluate each option:
A) In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
- Explanation: This option suggests creating an IAM role in the management account that has permission to create new AWS accounts in Organizations. The Lambda function in the new AWS account will assume this role to gain the necessary permissions.
- Why Selected: This approach is sound because it separates the permission management by using cross-account role assumption. The Lambda execution role in the new account can assume the role in the management account to perform the necessary operations. The Lambda function itself doesn’t need permanent permissions for creating accounts, and the role-based access control ensures that the management account retains the control.
- Key Factors: Cross-account access is commonly used for delegating permissions across AWS accounts, and it aligns with the security principle of least privilege.
B) In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations:CreateAccount permission.
- Explanation: This option suggests enabling delegated administration for AWS Organizations and assigning the new account permission to create accounts. The Lambda execution role would then directly hold the necessary permission.
- Why Rejected: While delegated administration is a useful feature for allowing specific accounts to manage aspects of AWS Organizations, the security model of using IAM roles is more flexible and secure in this scenario. Additionally, it would give the Lambda execution role in the new account broad permissions for AWS Organizations, which is ...
Author: Sophia Clark · Last updated May 17, 2026
A company has deployed an application in a single AWS Region. The application backend uses Amazon DynamoDB tables and Amazon S3 buckets.
The company wants to deploy the application in a secondary Region. The company must ensure that the data in the DynamoDB tables and the S3 buckets persists across both Regions. The...
The company wants to deploy the application in a secondary Region while ensuring that the data in both Amazon DynamoDB tables and S3 buckets persists and immediately propagates across both Regions. The solution should be operationally efficient and allow data synchronization between Regions in near real-time.
Evaluation of the options:
A) Implement two-way S3 bucket replication between the primary Region's S3 buckets and the secondary Region's S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.
- Explanation:
- S3 bucket replication is used for propagating data across Regions. However, two-way replication is not supported by AWS S3 directly. S3 replication only allows one-way replication from the source to the destination region. Implementing a two-way replication setup would require complex management and automation outside of the native capabilities of S3.
- DynamoDB Global Tables: This is a correct solution for achieving immediate propagation of DynamoDB data across Regions, as global tables automatically synchronize data between Regions.
- Why Rejected: The two-way S3 replication does not align with the native capabilities of S3, making this option less operationally efficient. Although DynamoDB Global Tables work well, the S3 replication mechanism is not ideal in this case.
B) Implement S3 Batch Operations copy jobs between the primary Region and the secondary Region for all S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.
- Explanation:
- S3 Batch Operations are great for copying large volumes of objects between S3 buckets, but they are not designed for real-time or immediate data replication. Instead, they are typically used for bulk data operations, and they do not provide immediate data consistency across Regions.
- DynamoDB Global Tables are correctly used for ensuring that DynamoDB data is replicated across Regions with low latency.
- Why Rejected: S3 Batch Operations are not the best choice for immediate data propagation across Regions, as they introduce latency and are not suited for real-time replication.
C) Implement two-way S3 bucket replication between the pri...
Author: Aarav · Last updated May 17, 2026
A company has configured Amazon RDS storage autoscaling for its RDS DB instances. A DevOps team needs to visualize the autoscaling events on an Amazon C...
To meet the requirement of visualizing Amazon RDS storage autoscaling events on a CloudWatch dashboard, the solution should focus on capturing those events and enabling visualization in an efficient and straightforward way. Let's evaluate each option.
A) Create an Amazon EventBridge rule that reacts to RDS storage autoscaling events from RDS events. Create an AWS Lambda function that publishes a CloudWatch custom metric. Configure the EventBridge rule to invoke the Lambda function. Visualize the custom metric by using the CloudWatch dashboard.
- Explanation: This solution proposes using Amazon EventBridge to capture RDS storage autoscaling events, triggering a Lambda function that publishes a custom metric to CloudWatch. You could then visualize this custom metric on a CloudWatch dashboard.
- Why Selected: This approach allows real-time monitoring of RDS storage autoscaling events. EventBridge can capture the events, and the Lambda function provides flexibility in processing or transforming the events into a custom CloudWatch metric. This can be visualized efficiently on the CloudWatch dashboard, offering a highly customizable and direct method for tracking autoscaling events.
B) Create a trail by using AWS CloudTrail with management events configured. Configure the trail to send the management events to Amazon CloudWatch Logs. Create a metric filter in CloudWatch Logs to match the RDS storage autoscaling events. Visualize the metric filter by using the CloudWatch dashboard.
- Explanation: This approach uses CloudTrail to log management events and sends them to CloudWatch Logs, where a metric filter is applied to capture autoscaling events. This metric is then visualized on the CloudWatch dashboard.
- Why Rejected: While CloudTrail logs management events, RDS storage autoscaling events are not always categorized as management events. This means that relying on CloudTrail management events may not be a reliable or straightforward way to capture RDS storage autoscaling specifically. CloudTrail is typically used for API calls and management actions rather than automatic scaling events, which may not be capt...
Author: Andrew · Last updated May 17, 2026
A company uses containers for its applications. The company learns that some container images are missing required security configurations.
A DevOps engineer needs to implement a solution to create a standard base image. The solution must publish the base image weekl...
The goal is to create a standard base image for container applications that includes security configurations and then publish this image weekly to multiple AWS Regions: us-west-2, us-east-2, and eu-central-1. Let’s evaluate each option in detail:
A) Create an EC2 Image Builder pipeline that uses a container recipe to build the image. Configure the pipeline to distribute the image to an Amazon Elastic Container Registry (Amazon ECR) repository in us-west-2. Configure ECR replication from us-west-2 to us-east-2 and from us-east-2 to eu-central-1. Configure the pipeline to run weekly.
- Explanation:
- EC2 Image Builder is specifically designed for automating the creation and distribution of container images, making it a good fit for the use case.
- ECR Replication can be configured to replicate container images between regions.
- Pros: The solution leverages EC2 Image Builder to automate the image creation process and uses ECR replication to distribute the image across multiple Regions.
- Why Rejected: While this solution is effective, it requires the added step of setting up replication between regions, which can introduce complexity and potential delays in synchronization. Replication might also not always be as efficient as directly distributing the image to multiple regions from the pipeline.
B) Create an AWS CodePipeline pipeline that uses an AWS CodeBuild project to build the image. Use AWS CodeDeploy to publish the image to an Amazon Elastic Container Registry (Amazon ECR) repository in us-west-2. Configure ECR replication from us-west-2 to us-east-2 and from us-east-2 to eu-central-1. Configure the pipeline to run weekly.
- Explanation:
- CodePipeline combined with CodeBuild can automate the image-building process.
- CodeDeploy is generally used for deploying applications rather than managing container images, which makes it less appropriate for this task.
- ECR Replication again is required, which introduces complexity.
- Why Rejected: Using CodeDeploy to publish the container image is not the best fit for this scenario. CodeDeploy is more suited to application deployme...
Author: Elizabeth · Last updated May 17, 2026
A DevOps engineer needs to implement a solution to install antivirus software on all the Amazon EC2 instances in an AWS account. The EC2 instances run the most recent version of Amazon Linux.
The solution must detect all instances and must use an AWS Systems Manag...
Let's evaluate each option in terms of how well it meets the requirement of installing antivirus software on all Amazon EC2 instances, ensuring the solution is capable of detecting all instances and using an AWS Systems Manager document to install the software if needed.
Option A: Create an association in Systems Manager State Manager.
- What this option does: This option targets all managed nodes and uses Systems Manager State Manager to apply a document that installs the antivirus software. If the software is not already installed, it will be installed as part of the association.
- Key factors:
- Targeting all managed nodes: State Manager is designed to ensure configurations are consistent across all managed EC2 instances, making it a good fit for this use case.
- Automation: Automatically installs the software if not present.
- Reliability: State Manager will keep track of the instances and apply the document as needed.
- Why this is ideal: It directly solves the requirement of using a Systems Manager document to install antivirus software on all EC2 instances and ensures compliance by applying the document regularly.
Option B: Set up AWS Config to record all resources and create a custom rule.
- What this option does: AWS Config tracks the configuration of resources in your AWS environment. You can create a custom rule to check whether antivirus software is installed and automatically remediate noncompliant EC2 instances.
- Key factors:
- Custom rules: You would need to write a custom rule to specifically detect the presence of antivirus software on each EC2 instance.
- Complexity: While effective, this approach requires more setup, as writing custom rules and ensuring that automatic remediation actions are correctly implemented can be complex.
- Why this is less ideal: The solution is more complicated and might not be as efficient as simply using Systems Manager to enforce the installation, especially when the goal is to simply install software on instances if it is missing. It is useful for ongoing compliance checks but isn't the most straightforward way to install soft...
Author: Ming88 · Last updated May 17, 2026
A company needs to increase the security of the container images that run in its production environment. The company wants to integrate operating system scanning and programming language package vulnerability scanning for the containers in its CI/CD pipeline. The CI/CD pipeline is an AWS CodePipeline pipeline that includes an AWS CodeBuild build project, AWS CodeDeploy actions, and an Amazon Elastic Container Registry (Amazon ECR) repository.
A DevOps engineer needs to add...
Let's evaluate the options based on the requirement of scanning the container images for vulnerabilities and ensuring that only images without CRITICAL or HIGH findings are deployed to production.
Option A: Use Amazon ECR basic scanning.
- What this option does: Amazon ECR's basic scanning analyzes container images for known vulnerabilities by using a database of Common Vulnerabilities and Exposures (CVE).
- Key factors:
- Basic scanning: It detects vulnerabilities in the operating system and application dependencies of the container image.
- Not sufficient for the requirement: While basic scanning detects known vulnerabilities, it doesn't offer detailed or extended analysis compared to enhanced scanning.
- Why this is rejected: Since the requirement is to increase security and filter out CRITICAL and HIGH findings, enhanced scanning (which provides more detailed security checks) is a better choice. Basic scanning might not catch all vulnerabilities and would not offer the necessary depth of analysis.
Option B: Use Amazon ECR enhanced scanning.
- What this option does: Amazon ECR enhanced scanning uses a more comprehensive set of tools, including Amazon Inspector, to scan container images for vulnerabilities.
- Key factors:
- Enhanced security: Enhanced scanning includes operating system and programming language package vulnerability detection, providing deeper insights into security risks within the image.
- Detailed findings: This provides the necessary level of detail to detect CRITICAL and HIGH vulnerabilities, ensuring that the pipeline only deploys secure images.
- Why this is selected: This option meets the requirements as it provides a higher level of vulnerability detection, crucial for making sure only secure images are deployed to production.
Option C: Configure Amazon ECR to submit a Rejected status to the CI/CD pipeline when the image scan returns CRITICAL or HIGH findings.
- What this option does: This option configures Amazon ECR to flag container images with CRITICAL or HIGH vulnerabilities and automatically rejects them, preventing deployment to production.
- Key factors:
- Automation: Automatically prevents vulnerable images from progressing in the CI/CD pipeline.
- Complia...
Author: Noah · Last updated May 17, 2026
A company's DevOps team manages a set of AWS accounts that are in an organization in AWS Organizations.
The company needs a solution that ensures that all Amazon EC2 instances use approved AM Is that the DevOps team manages. The solution also must remediate the usage of AMIs that are not approved. The individual...
Let's break down the options based on the requirement to ensure that only approved Amazon Machine Images (AMIs) are used across all EC2 instances, and any non-compliant AMIs are remediated. Additionally, the solution must ensure that individual account administrators cannot remove the restriction.
Option A: Use AWS CloudFormation StackSets to deploy an Amazon EventBridge rule to each account.
- What this option does: This option involves using AWS CloudFormation StackSets to deploy an EventBridge rule in each account. The rule would react to AWS CloudTrail events for EC2 instances, sending notifications to an SNS topic that the DevOps team subscribes to.
- Key factors:
- Notification-only solution: This approach is focused on sending notifications when non-compliant AMIs are detected but does not address the remediation of non-compliant instances.
- No enforcement of policy: While it sends notifications to the DevOps team, it does not automatically stop or remediate non-compliant instances.
- Why this is rejected: This option doesn’t fully meet the requirement because it lacks the enforcement mechanism to automatically stop EC2 instances with non-compliant AMIs, which is a core part of the solution. Additionally, it depends on notifications instead of direct remediation.
Option B: Use AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Config managed rule to each account.
- What this option does: This option uses AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Config rule across accounts. The rule checks for compliant AMIs and automatically triggers an AWS Systems Manager Automation runbook to stop non-compliant EC2 instances.
- Key factors:
- Enforcement: This solution automatically remediates non-compliant instances by using the AWS-StopEC2Instance runbook, which stops EC2 instances that use non-approved AMIs.
- Automated compliance: The AWS Config rule ensures that only approved AMIs are used, and remediation is triggered automatically for any violations.
- Governance: The rule is enforced across the organization, making it difficult for individual account administrators to bypass the restriction.
- Why this is selected: This solution directly addresses the requirement by enforcing the use of approved AMIs and providing automatic remediation of non-compliant instances. It also uses AWS Config, which provides centralized management and governance that individual account administrators cannot bypass.
Option C: Create an AWS Lambda function that processes AWS CloudTrail events for Amazon EC2.
- What t...
Author: SolarFalcon11 · Last updated May 17, 2026
A company gives its employees limited rights to AWS. DevOps engineers have the ability to assume an administrator role. For tracking purposes, the security team wants to receive a near-real-time not...
Let's analyze the options based on the requirement to send a near-real-time notification to the security team when the administrator role is assumed.
Option A: Configure AWS Config to publish logs to an Amazon S3 bucket.
- What this option does: AWS Config tracks configuration changes and compliance of AWS resources. In this case, it would publish logs to an S3 bucket, and you could use Amazon Athena to query those logs.
- Key factors:
- Complexity: Setting up AWS Config to track such events and using Athena for querying adds unnecessary complexity for the task at hand, as it is more focused on resource configurations and compliance tracking rather than near-real-time event detection.
- Not real-time: There could be some delay in generating logs and querying them, so it's not ideal for real-time notifications.
- Why this is rejected: This solution is more suited for historical tracking and compliance audits, rather than the near-real-time detection of role assumption events.
Option B: Configure Amazon GuardDuty to monitor when the administrator role is assumed.
- What this option does: Amazon GuardDuty is a threat detection service that monitors for suspicious activity in an AWS environment. It could potentially monitor role assumption events.
- Key factors:
- Scope of GuardDuty: GuardDuty primarily focuses on security findings such as unusual API activity or potential threats. While it does detect unusual activity related to AWS accounts, it’s not specifically focused on tracking role assumption events in the same manner as CloudTrail or EventBridge.
- Not tailored for this use case: GuardDuty is not designed to alert specifically when a particular role (like an administrator role) is assumed.
- Why this is rejected: GuardDuty is not the best tool for detecting and alerting on the assumption of specific IAM roles. It's more oriented towards general security events rather than specific IAM role tracking.
Option C: Create an Amazon EventBridge event rule using an AWS Management Console sign-in events event pattern.
- What this option does: EventBridge can be configured with an event pattern for ...
Author: StarlightBear · Last updated May 17, 2026
A company needs a strategy for failover and disaster recovery of its data and application. The application uses a MySQL database and Amazon EC2 instances. The company requires a maximum RPO of 2 hours and a maximum RTO of 10 minutes for its data and appli...
To meet the company's disaster recovery and failover requirements for both data and application with a maximum RPO of 2 hours and a maximum RTO of 10 minutes, we need to focus on high availability, quick failover, and data replication strategies.
Let's evaluate the options based on these key requirements.
Option A: Create an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store.
- What this option does: This option suggests creating an Aurora Single-AZ cluster in multiple regions. Aurora is a fully managed database service, but having it in a single AZ in each region doesn't provide multi-AZ replication or disaster recovery features.
- Key factors:
- Single-AZ cluster: A Single-AZ deployment limits availability and failover capabilities. In the event of an AZ failure in one region, there is no automatic failover to another AZ.
- Not optimal for disaster recovery: While Aurora does support automatic recovery, the Single-AZ configuration will not meet the RPO and RTO requirements for disaster recovery, especially since the failure would require manual intervention.
- Why this is rejected: The Single-AZ setup does not provide the required level of availability and failover. For an effective disaster recovery strategy, we need a multi-AZ or cross-region approach for both data and application failover.
Option B: Create an Amazon Aurora global database in two AWS Regions as the data store.
- What this option does: Aurora Global Databases are designed for globally distributed applications and support cross-region replication with low-latency data replication. In the event of a failure in one region, the secondary region can be promoted to primary.
- Key factors:
- Cross-region replication: This option supports cross-region replication, which can meet the 2-hour RPO by ensuring that the data is replicated across regions.
- Automatic promotion: In the event of a failure, Aurora's global database allows for automatic promotion of the secondary region to primary, ensuring a minimal RTO.
- Meets both RPO and RTO requirements: The ability to quickly promote a secondary region to primary with Aurora Global Databases ensures that data loss is minimized and the application can recover quickly.
- Why this is selected: This solution is ideal because it ensures high availability, low-latency replication, and automatic failover, meeting both RPO and RTO requirements for both the data and application.
Option C: Create an Amazon Aurora cluster in multiple AWS Regions as the data store.
- What this option does: Aurora clusters support multi-AZ configurations, but this option suggests spreading Aurora clusters across regions and using a Network Load Balancer (NLB) for balancing traffic between regions.
- Key factors:
- NLB for database traffic: While an NLB can route traffic between regions, Aurora itself does not natively support cross-region deployment with load balancing for database tra...
Author: Rahul · Last updated May 17, 2026
A developer is using the AWS Serverless Application Model (AWS SAM) to create a prototype for an AWS Lambda function. The AWS SAM template contains an AWS::Serverless::Function resource that has the CodeUri property that points to an Amazon S3 location. The developer wants to identify the correct commands for deployment before creating a CI/CD pipeline.
The developer creates an archive of the Lambda function code named package.zip. The developer uploads the .zip file archive to the S3 location specified in the CodeUri property. The developer runs the sam deploy command and deploys the Lambda functi...
The error "no changes to deploy" occurs because the `sam deploy` command detects no changes in the CloudFormation stack, which happens when the Lambda function code is already uploaded and the stack configuration has not changed. The solution involves ensuring that the updated Lambda code is packaged correctly and that the `sam deploy` command can recognize the change.
Let's analyze each option:
- Option A: Use the aws cloudformation update-stack command instead of the sam deploy command.
- Rejection Reason: While the `aws cloudformation update-stack` command can update the CloudFormation stack, it doesn't help with ensuring that the Lambda function's code is packaged and deployed correctly. The `sam deploy` command is specifically designed for serverless applications and manages the deployment process for AWS SAM templates, including packaging Lambda code.
- Option B: Use the aws cloudformation update-stack-instances command instead of the sam deploy command.
- Rejection Reason: The `update-stack-instances` command is used for Amazon EC2 instances within an AWS CloudFormation stack and isn't applicable for updating Lambda functions or the stack resources defined in an AWS SAM template. This command doesn’t address the deployment issue for Lambda functions.
- Option C: Update the CodeUri property to reference the local application code folder. Use the sam deploy command.
- Selected Reason: The main issue is that the `CodeUri` in the SAM template is pointing to an S3 location. When the Lambda function code is updated, the deployment fails because SAM doesn’t detect changes in the S3 location automatically. By changing `CodeUri...
Author: Olivia · Last updated May 17, 2026
A company runs its container workloads in AWS App Runner. A DevOps engineer manages the company's container repository in Amazon Elastic Container Registry (Amazon ECR).
The DevOps engineer must implement a solution that continuously monitors the container repository. The solution must create a new container image whe...
Let's break down each of the options to see which solution best meets the requirement of continuously monitoring a container repository for vulnerabilities and creating a new container image when a vulnerability is detected.
Option A:
- Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Turn on enhanced scanning on the ECR repository. Create an Amazon EventBridge rule to capture an Inspector finding event. Use the event to invoke the image pipeline. Re-upload the container to the repository.
- Reasoning: EC2 Image Builder is designed to automate the process of creating, testing, and distributing images (including container images). Enhanced scanning on Amazon ECR allows scanning for known vulnerabilities in container images. Amazon Inspector can detect vulnerabilities in the operating system or application packages and generate findings. These findings can be captured using an EventBridge rule and used to trigger the EC2 Image Builder pipeline to rebuild the container image and upload it back to Amazon ECR.
- Selected Reason: This option directly addresses the need to rebuild and update the container image when vulnerabilities are detected. It uses a comprehensive combination of tools (ECR scanning, Inspector, EC2 Image Builder, and EventBridge) to handle the task automatically.
Option B:
- Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Enable Amazon GuardDuty Malware Protection on the container workload. Create an Amazon EventBridge rule to capture a GuardDuty finding event. Use the event to invoke the image pipeline.
- Rejection Reason: While GuardDuty is a useful tool for detecting malicious activity and potential threats in your AWS environment, it is not specifically focused on detecting vulnerabilities in container images (operating system or language packages). GuardDuty primarily looks for suspicious activities and potential security issues, but it doesn’t provide the granular vulnerability scanning that would be necessary to address OS and language pac...
Author: Ming88 · Last updated May 17, 2026
A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers. The bootstrap code is stored in GitHub. A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the reg...
Let's analyze each of the options to determine the best course of action for bootstrapping physical laptops for developers using AWS Systems Manager (SSM) documents.
Option A:
- Configure the Systems Manager document to use the AWS-RunShellScript command to copy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with a sourceType of S3.
- Rejection Reason: This option introduces unnecessary complexity. While it first uses the `AWS-RunShellScript` command to copy the files from GitHub to S3, the process of using S3 as an intermediary step is redundant and adds extra steps. The `aws-downloadContent` plugin is useful, but it would be more efficient to directly download from the source (GitHub) without storing the content in S3 first.
Option B:
- Configure the Systems Manager document to use the aws-configurePackage plugin with an install action and point to the Git repository.
- Rejection Reason: The `aws-configurePackage` plugin is designed to configure packages such as AWS tools or other software packages. It is not designed for downloading or bootstrapping scripts directly from a GitHub repository. This plugin is more relevant for managing software installation and configuration rather than downloading and running bootstrap code from a Git repository.
Option C:
- Configure the Systems Manager document to use...
Author: Layla · Last updated May 17, 2026
A company's development team uses AWS CloudFormation to deploy its application resources. The team must use CloudFormation for all changes to the environment. The team cannot use the AWS Management Console or the AWS CLI to make manual changes directly.
The team uses a developer IAM role to access the environment. The role is configured with the AdministratorAccess managed IAM policy. The company has created a new CloudFormationDeployment IAM role that has the following policy attached:
The compa...
To meet the requirement of ensuring that only CloudFormation can use the new CloudFormationDeployment IAM role, and that the development team cannot make manual changes directly, let’s go through each option step by step.
Option A:
- Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks.
- Selected Reasoning: This option addresses the requirement to limit developer permissions and forces them to use CloudFormation for all changes. Removing the `AdministratorAccess` policy from the developer IAM role prevents developers from manually modifying resources. Assigning `ReadOnlyAccess` limits their permissions to view-only actions. Instructing developers to use the CloudFormationDeployment role as a service role ensures that CloudFormation will be the only entity that can assume the CloudFormationDeployment role for deploying stacks.
Option B:
- Update the trust policy of the CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role.
- Rejection Reason: Allowing the developer IAM role to assume the CloudFormationDeployment role could defeat the purpose of restricting direct changes by developers. This would allow developers to bypass CloudFormation and make direct changes to resources using that role. The goal is to limit role assumption to CloudFormation itself, not the developers.
Option C:
- Configure the developer IAM role to be able to get and pass the CloudFormationDeployment role if iam:PassedToService equals cloudformation.amazonaws.com. Configure the CloudFormationDeployment role to allow all CloudFormation actions for all resources.
- Rejection Reason: This approach would grant the developer role the ability to pass the CloudFormationDeployment role to CloudFormation. This could still potentially allow the developer role to indirectly manipulate resources through CloudFormation, which is against the requirement that only CloudFormation should be able to use the CloudFormationDeployment role. It also opens up too much flexibility by allowing developers to pass ...
Author: Ella · Last updated May 17, 2026
A company is developing a web application's infrastructure using AWS CloudFormation. The database engineering team maintains the database resources in a CloudFormation template, and the software development team maintains the web application resources in a separate CloudFormation template. As the scope of the application grows, the software development team needs to use resources maintained by the database engineering team. However, both teams have their own review and lifecycle management processes that they wa...
Let's evaluate each of the provided options based on the given requirements:
Requirements:
- Both teams want to maintain their own CloudFormation templates and lifecycle management processes.
- The software development team needs to use resources from the database engineering team.
- Both teams require resource-level change-set reviews.
- The software development team needs to deploy changes using their CI/CD pipeline.
Option A: Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template.
- Rejection Reason: Stack exports and imports can be used for sharing certain resources between stacks, but they are not ideal for managing dependencies between stacks in a flexible way. Stack exports require a manual process to manage changes to the resources, and they are less suitable for CI/CD pipelines that require dynamic handling of updates. Furthermore, this method would not allow for resource-level change-set reviews, which are a key requirement.
Option B: Create a CloudFormation nested stack to make cross-stack resource references and parameters available in both stacks.
- Selected Reasoning: Nested stacks are an ideal solution for this scenario. With nested stacks, the software development team can reference resources from the database engineering team’s stack within their own template. Each stack can still be managed separately, and resource-level change-set reviews are supported. By creating a nested stack, the software development team can deploy changes using their CI/CD pipeline while maintaining the lifecycle management and review process...
Author: Zara · Last updated May 17, 2026
A company has an organization in AWS Organizations. A DevOps engineer needs to maintain multiple AWS accounts that belong to different OUs in the organization. All resources, including IAM policies and Amazon S3 policies within an account, are deployed through AWS CloudFormation. All templates and code are maintained in an AWS CodeCommit repository. Recently, some developers have not been able to access an...
Analysis of Options:
A) Modify the S3 bucket policy. Turn off the S3 Block Public Access setting on the S3 bucket. In the S3 policy, add the aws:SourceAccount condition. Add the AWS account IDs of all developers who are experiencing the issue.
- S3 Block Public Access: The Block Public Access setting for an S3 bucket prevents public access, which is likely causing the access issue for some developers.
- aws:SourceAccount condition: Adding this condition helps specify which accounts are allowed access to the bucket. However, turning off the Block Public Access setting is risky, as it might inadvertently expose the bucket to public access.
- Key issue: The solution may resolve access issues but poses a security risk by turning off the Block Public Access setting, which is not recommended unless absolutely necessary.
- Conclusion: This solution should be rejected due to the security implications of turning off public access blocking on the S3 bucket.
B) Verify that no IAM permissions boundaries are denying developers access to the S3 bucket. Make the necessary changes to IAM permissions boundaries. Use an AWS Config recorder in the individual developer accounts that are experiencing the issue to revert any changes that are blocking access. Commit the fix back into the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.
- IAM Permissions Boundaries: IAM permissions boundaries can be used to limit the permissions that IAM policies can grant. It's a good practice to ensure that there are no permission boundaries preventing access.
- AWS Config: AWS Config could help track changes in individual developer accounts that might be affecting access, but using it just to revert changes in developer accounts adds complexity and may not directly address the root cause.
- CloudFormation: If changes are made, they should be committed to CodeCommit and deployed through CloudFormation, which is aligned with the current workflow.
- Conclusion: This approach is valid but may be overcomplicating the issue. It's better to address any IAM policy or SCP issues first rather than relying on AWS Config to track changes.
C) Configure an SCP t...
Author: Chloe · Last updated May 17, 2026
A company has an organization in AWS Organizations for its multi-account environment. A DevOps engineer is developing an AWS CodeArtifact based strategy for application package management across the organization. Each application team at the company has its own account in the organization. Each application team also has limited access to a centralized shared services account.
Each application team needs full access to download, publish, and grant access to its own packages. Some common l...
Analysis of Options:
A) Create a domain in each application team's account. Grant each application team's account full read access and write access to the application team's domain.
- Domain: CodeArtifact domains provide a centralized location for managing repositories that share packages. By creating a domain in each application team's account, you ensure each team can manage and access their own packages.
- Access: Granting each team's account full read and write access ensures the team can manage their own packages and share them as needed.
- Conclusion: This is a valid step for managing team-specific packages but doesn't address the need to share common library packages across the organization.
B) Create a domain in the shared services account. Grant the organization read access and CreateRepository access.
- Domain in Shared Services: A shared services domain could simplify package sharing across the organization by centralizing common libraries. However, creating a domain only in the shared services account doesn’t provide each team with the flexibility to manage their own packages independently.
- Access to CreateRepository: Giving the organization "CreateRepository" access may be too broad and unnecessary for other teams, especially if only specific repositories need to be shared.
- Conclusion: This could be helpful for centralized common library sharing, but doesn't fully meet the requirement for teams to manage their own repositories effectively.
C) Create a repository in each application team's account. Grant each application team's account full read access and write access to its own repository.
- Repository Access: Creating individual repositories in each team's account is a good way to ensure each team has full control over its own packages.
- Access Control: Granting each team full access to its own repository is in line with the requirement for full access to their packages.
- Conclusion: This solution works well for team-specific package management but doesn't address the common library sharing requirement.
D) Create a repos...
Author: Emma · Last updated May 17, 2026
A company deploys an application to Amazon EC2 instances. The application runs Amazon Linux 2 and uses AWS CodeDeploy. The application has the following file structure for its code repository:
The appspec.yml file has the following c...
Analysis of the AppSpec File Structure:
The appspec.yml file controls how AWS CodeDeploy deploys files. The `files` section in the appspec.yml typically defines the source and destination of the files to be deployed. Based on the file structure and the content in the `appspec.yml`, we can assess how the config.txt file will behave during deployment.
Let's break down the contents of the `appspec.yml` file in relation to the destination paths:
- Source: Refers to where the file is located in the repository (e.g., `config.txt`).
- Destination: Refers to where the file will be deployed on the EC2 instance.
Scenario Breakdown:
- A) The config.txt file will be deployed to only /var/www/html/config/config.txt.
- If the appspec.yml specifies that `config.txt` should only go to `/var/www/html/config/config.txt`, then it would only be deployed to this specific location.
- However, this option seems to ignore the possibility of multiple deployment destinations or a more flexible configuration defined in the `appspec.yml`.
- B) The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/config.txt.
- In this scenario, the `appspec.yml` would likely define two locations for `config.txt` to be deployed to, such as `/usr/local/src/config.txt` and `/var/www/html/config.txt`.
- This scenar...
Author: Amira99 · Last updated May 17, 2026
A company has set up AWS CodeArtifact repositories with public upstream repositories. The company's development team consumes open source dependencies from the repositories in the company's internal network.
The company's security team recently discovered a critical vulnerability in the most recent version of a package that the development team consumes. The security team has produced a patched version to fix the vulnerability. The company needs to prevent t...
Analysis of the Requirements:
The company needs to:
1. Prevent the vulnerable version from being downloaded.
2. Allow the security team to publish the patched version.
Let's review each option to see which combinations of steps can effectively meet these requirements:
A) Update the status of the affected CodeArtifact package version to unlisted.
- Unlisted Status: Marking the affected package version as unlisted prevents it from being displayed in the default package listing but still allows it to be downloaded if explicitly referenced.
- Usefulness: This can partially meet the requirement by making it less discoverable, but it doesn't fully prevent the version from being downloaded unless users specifically reference it. This would not be ideal if the goal is to block it entirely.
- Conclusion: This is useful for reducing visibility but doesn't fully meet the requirement of preventing downloads outright.
B) Update the status of the affected CodeArtifact package version to deleted.
- Deleted Status: Marking the affected package version as deleted would ensure it cannot be downloaded anymore. However, it removes the version completely from the repository, which might not be ideal if the company needs to keep a record of the vulnerability or reference it later.
- Usefulness: This fully prevents downloads, which aligns with the requirement to prevent the vulnerable version from being accessed. However, it also makes the version permanently unavailable for future reference, which could be a disadvantage in some situations.
- Conclusion: This option is effective at blocking downloads but could result in losing the version entirely, so it's a good choice if completely removing the vulnerable version is acceptable.
C) Update the status of the affected CodeArtifact package version to archived.
- Archived Status: Archiving a package version makes it read-only and effectively blocks any further changes or downloads from the version. This allows the version to be preserved for historical purposes without allowing it to be consumed.
- Usefulness: Archiving would fulfill the requirement of preventing the vulnerable version from being downloaded. However, archiving might not be a solution if the company wants the version completely removed from access or if the version needs to be replaced with the patched one.
- Conclusion: This is a viable option for preventing access to the vulnerable version, especially...
Author: Ella · Last updated May 17, 2026
A company is running a custom-built application that processes records. All the components run on Amazon EC2 instances that run in an Auto Scaling group. Each record's processing is a multistep sequential action that is compute-intensive. Each step is always completed in 5 minutes or less.
A limitation of the current system is that if any steps fail, the application has to reprocess the record from the beginning. The com...
Key Considerations:
1. Reprocessing Only Failed Steps: The company wants to minimize reprocessing by only handling failed steps, making it important to preserve state at each step.
2. Operational Efficiency: The solution should be scalable, easy to manage, and minimize manual intervention.
3. Compute-Intensive Tasks: The steps involve compute-heavy operations, so the solution should effectively manage these tasks without introducing significant complexity.
Analysis of the Options:
A) Create a web application to write records to Amazon S3. Use S3 Event Notifications to publish to an Amazon Simple Notification Service (Amazon SNS) topic. Use an EC2 instance to poll Amazon SNS and start processing. Save intermediate results to Amazon S3 to pass on to the next step.
- Pros:
- This option uses S3 for storage, allowing each step to be stored separately, which could help with saving intermediate results.
- S3 Event Notifications and SNS offer a decoupled mechanism for triggering the next step in the process.
- Cons:
- Using an EC2 instance to poll SNS and manually start processing adds complexity. Additionally, managing the state between steps could become cumbersome with EC2 instances handling the logic.
- Intermediate results in S3 would need to be managed manually, potentially increasing operational overhead.
- Scaling: The system would require additional configuration to scale EC2 instances dynamically for compute-intensive tasks.
- Conclusion: While functional, this approach introduces complexity due to manual state management, EC2 scaling, and handling intermediate results in S3.
B) Perform the processing steps by using logic in the application. Convert the application code to run in a container. Use AWS Fargate to manage the container instances. Configure the container to invoke itself to pass the state from one step to the next.
- Pros:
- Running the application in containers via AWS Fargate abstracts away the management of EC2 instances, offering better scalability and operational efficiency.
- Containers could handle individual steps, and containerized tasks could potentially pass state from one step to another.
- Cons:
- The approach to invoking itself to pass state across steps may not be straightforward or scalable. Managing step failures and retrying individual steps within this model would introduce complexity, especially when ensuring that only the failed steps are reprocessed.
- State management would need to be handled carefully, which could be complex in a containerized setup.
- Conclusion: While Fargate provides an easy way to scale the application, the container’s logic for passing state and reprocessing failed steps might require additional management and overhead.
C) Create a web app...
Author: Oscar · Last updated May 17, 2026
A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the on-premises configurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux.
The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use aut...
To determine the most suitable storage solution, we need to evaluate the requirements and constraints of the company's migration to AWS and disaster recovery needs:
1. Windows and Linux Applications: The applications require shared storage that supports SMB (for Windows) and NFS (for Linux). This indicates the need for a solution that can accommodate both protocols, providing a unified platform for shared access.
2. Disaster Recovery (DR) Environment: The company needs to replicate the storage from the primary region to the DR region to maintain business continuity in the event of a failure.
Let's review each option based on these requirements:
A) Amazon S3 for the application storage with S3 Cross-Region Replication (CRR)
- SMB/NFS Support: Amazon S3 does not natively support SMB or NFS, which are required for the applications. S3 is typically used for object storage, not shared file storage with protocol support.
- Replication: While S3 Cross-Region Replication (CRR) can replicate data across regions, it's unsuitable for the needs of shared file systems with SMB/NFS access.
- Conclusion: Not suitable due to lack of SMB/NFS support for shared file storage.
B) Amazon Elastic Block Store (Amazon EBS) with AWS Backup and Snapshots
- SMB/NFS Support: EBS is a block storage service that provides persistent storage but doesn't directly support SMB or NFS protocols out-of-the-box. EBS would require additional solutions like EC2 instances running SMB/NFS services to access the data in the correct protocol.
- Replication: AWS Backup can replicate EBS snapshots to the DR region, but this approach is primarily for backup and disaster recovery, not for real-time shared storage access.
- Conclusion: Not ideal because it...
Author: Akash · Last updated May 17, 2026
A company's application uses a fleet of Amazon EC2 On-Demand Instances to analyze and process data. The EC2 instances are in an Auto Scaling group. The Auto Scaling group is a target group for an Application Load Balancer (ALB). The application analyzes critical data that cannot tolerate interruption. The application also analyzes noncritical data that can withstand interruption.
The critical data analysis requires quick scalability in response to real-time application demand. The noncritical data analysis involves memory consum...
Let's break down the requirements and match them with the options provided:
1. Critical Data: The application requires quick scalability to handle real-time demand for processing critical data. It cannot tolerate interruptions, so instances for critical data must be highly reliable and scalable.
2. Noncritical Data: Noncritical data can withstand interruptions and can be processed using instances that are more cost-effective, such as Spot Instances. Additionally, this data involves memory consumption, which can be addressed by configuring custom memory utilization metrics.
Option A) For the critical data, modify the existing Auto Scaling group. Create a warm pool instance in the stopped state. Define the warm pool size. Create a new version of the launch template that has detailed monitoring enabled. Use Spot Instances.
- Critical Data Scalability: Spot Instances are not ideal for critical data because they can be terminated by AWS at any time, making them unsuitable for workloads that cannot tolerate interruption.
- Warm Pool: Using a warm pool with stopped instances can speed up scaling by keeping instances pre-warmed, but using Spot Instances for critical data processing isn't recommended.
- Conclusion: Rejected due to the use of Spot Instances for critical data.
Option B) For the critical data, modify the existing Auto Scaling group. Create a warm pool instance in the stopped state. Define the warm pool size. Create a new version of the launch template that has detailed monitoring enabled. Use On-Demand Instances.
- Critical Data Scalability: On-Demand Instances are suitable for critical data as they ensure availability and reliability, which is required for workloads that cannot tolerate interruptions.
- Warm Pool: A warm pool of On-Demand instances in a stopped state helps to reduce scale-out latency by pre-warming instances. This provides the necessary scalability to respond to real-time application demand for critical data.
- Conclusion: This is a good option because it meets the scalability requirements for critical data without the risk of interruption.
Option C) For the critical data, modify the existing Auto Scaling group. Create a lifecycle hook to ensure that bootstrap scripts are completed successfully. Ensure that the application on the instances is ready to accept traffic before the instances are registered. Create a new version of the launch template that has detailed monitoring enabled.
- Critical Data Scalability: This option focuses on ensuring that instances are fully prepared before receiving traffic, which is essential for ensuring that critical data is processed properly. However, it does not directly address quick scalability or performance improvements for scaling out in response to real-time demand.
- Lifecycle Hook: While useful for ensuring proper initialization, it doesn't enh...
Author: FrozenWolf2022 · Last updated May 17, 2026
A company recently migrated its application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that uses Amazon EC2 instances. The company configured the application to automatically scale based on CPU utilization.
The application produces memory errors when it experiences heavy loads. The application also does not scale out enough to handle the increased load. ...
To meet the requirements of collecting and analyzing memory metrics over time for the application and ensuring proper scaling based on memory utilization, let's evaluate each option:
Option A) Attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile that the cluster uses.
- IAM Role: The `CloudWatchAgentServerPolicy` allows the EC2 instances in the EKS cluster to send metrics to CloudWatch. Attaching it to the IAM instance profile enables the EC2 instances to collect and report memory metrics.
- Relevance: This is a critical step because it ensures that the EC2 instances can send memory metrics (among other metrics) to CloudWatch, which is required for monitoring the application’s memory consumption.
- Conclusion: This is an essential step to enable the proper collection of metrics.
Option B) Attach the CloudWatchAgentServerPolicy managed IAM policy to a service account role for the cluster.
- IAM Role: While a service account role with this policy would allow pods running in the EKS cluster to send metrics to CloudWatch, it is not applicable for collecting EC2 instance metrics like memory utilization directly from the EC2 instances themselves.
- Relevance: This option does not directly solve the issue of collecting memory metrics from the EC2 instances because it would only grant permissions for the service account and not the EC2 instances.
- Conclusion: This is not the best choice for the given scenario.
Option C) Collect performance metrics by deploying the unified Amazon CloudWatch agent to the existing EC2 instances in the cluster. Add the agent to the AMI for any new EC2 instances that are added to the cluster.
- CloudWatch Agent: Deploying the CloudWatch agent on EC2 instances enables the collection of detailed memory metrics (e.g., memory usage) from those instances. This will help the company monitor memory utilization over time and identify when memory errors are occurring.
- Relevance: This option is a good choice because it ensures that all EC2 instances (both existing and newly added) will have the CloudWatch agent installed to monitor memory metrics. The CloudWatch agent can collect data on both system-level and application-level metrics.
- Conclusion: This is a critical step to monitor memory metrics and analyze the application’s memory usage.
Option D) Collect performance logs by deploying the AWS Distro for OpenTelemetry collector as a DaemonSet.
- OpenTelemetry Collector: This solution collects and exports telemetry data (such as logs, metrics, and traces) from containers in the cluster. While useful for application ...
Author: Alexander · Last updated May 17, 2026
A company's video streaming platform usage has increased from 10,000 users each day to 50,000 users each day in multiple countries. The company deploys the streaming platform on Amazon Elastic Kubernetes Service (Amazon EKS). The EKS workload scales up to thousands of nodes during peak viewing time.
The company's users report occurrences of unauthorized logins. Users also report sudden interruptions and logouts from the platform.
The company wants additional security measures for the entire platform. The company also needs a summarized view of the resource behaviors and interactions across the company's entire AWS environment. The summarized view must show login attempts, ...
Let's break down the requirements and match them with the available options:
Key Requirements:
1. Additional Security Measures: The company needs to ensure that the platform is secure, especially regarding unauthorized logins and potential malicious behavior.
2. Summarized View of Resource Behaviors and Interactions: The company needs a clear overview of login attempts, API calls, and network traffic across the AWS environment.
3. Network Traffic Analysis: The company wants the ability to analyze network traffic.
4. Minimize Log Management Overhead: The solution should minimize the complexity of managing logs, allowing for easy investigations without extensive overhead.
5. Quick Investigation of Malicious Behavior in EKS Workloads: The solution must facilitate swift identification of malicious activities, particularly related to the EKS workload.
Evaluating the Options:
A) Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable AWS CloudTrail logs. Store the EKS audit logs and CloudTrail log files in an Amazon S3 bucket. Use Amazon Athena to create an external table. Use Amazon QuickSight to create a dashboard.
- GuardDuty: GuardDuty can monitor for suspicious activity within the EKS workload and provide findings for unusual behaviors like unauthorized login attempts.
- CloudTrail: CloudTrail can capture and log all API calls across the AWS environment, including login attempts and any changes to resources.
- S3 and Athena: Storing logs in S3 and analyzing them with Athena is a good solution for cost-effective and flexible log analysis. QuickSight allows you to visualize and create dashboards from these logs.
- Drawback: This approach requires managing logs in S3 and using Athena and QuickSight, which can add complexity to the log management process, especially for investigating network traffic.
B) Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable Amazon Detective in the company's AWS account. Enable EKS audit logs from optional source packages in Detective.
- GuardDuty: Provides continuous monitoring for suspicious activities, including unauthorized logins.
- Amazon Detective: Detective allows deeper analysis of security findings and helps identify root causes of malicious activities by visualizing network connections and resource behaviors.
- EKS Audit Logs: Detective can integrate with EKS audit logs, allowing the company to understand the behavior of the EKS workloads, including user logins and network traffic patterns.
- Relevance: This solution is very security-focused and ideal for identifying and investigating potential malicious behavior. However, it may not fully meet t...
Author: Sofia · Last updated May 17, 2026
A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM).
The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On). The IAM team must have only the minimum needed permissions to manage IAM Identity Center. The IAM team must not be able to gain unneeded access to the Organizations management account. The IAM team must ...
To meet the requirements of granting the IAM team the minimum needed permissions to manage AWS IAM Identity Center (AWS SSO) while ensuring they do not gain unnecessary access to the Organizations management account, we need to carefully choose the options. Let's go through each option and evaluate them:
Requirements:
1. Minimum Permissions: The IAM team needs only the permissions to manage IAM Identity Center, no more, no less.
2. No Access to Organizations Management Account: The IAM team should not have access to the organization's management account, which typically has broader administrative permissions.
3. Provisioning New Permission Sets and Assignments: The IAM team must be able to manage permission sets and assignments for both existing and new member accounts.
Evaluating the Options:
A) Create a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
- Explanation: Creating a separate AWS account for the IAM team and registering it as a delegated administrator for IAM Identity Center in the Organizations management account would grant the IAM team the necessary permissions to manage IAM Identity Center.
- Relevance: This approach ensures that the IAM team has the minimum permissions required for managing IAM Identity Center without giving them broad access to other resources in the Organizations management account.
- Conclusion: This is a good option as it provides the minimum needed permissions and isolates the IAM team's responsibilities to the IAM Identity Center.
B) Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
- Explanation: This option suggests that the IAM team works within the Organizations management account and not in a separate account for IAM Identity Center management. However, enabling IAM Identity Center in the management account could provide broader access than required.
- Relevance: By enabling IAM Identity Center directly in the management account and registering the IAM team account as a delegated administrator, the IAM team might inherit more permissions than necessary, especially at the account level, violating the principle of least privilege.
- Conclusion: This is less ideal compared to option A because it doesn't isolate the IAM team in a separate account and could potentially expose more permissions than required.
C) In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSODirectoryAdministrator managed IAM policy to the group.
- Explanation: The AWSSSODirectoryAdministrator policy allows full access to manage IAM Identity Center, including user and group management, as well as directory integration. However, this policy may grant more permissions than necessary, such as the abili...
Author: FlamePhoenix2025 · Last updated May 17, 2026
A company uses an organization in AWS Organizations that has all features enabled. The company uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to encrypt the backups.
The company needs to automate a cross-account backup of the resources that AWS Backup backs up in the primary account. The company configures cross-account backup in the Organizations management account. The company creates a new AWS account in the organization and configures an AWS Backup backup vault in the new account. The company creates a KMS key in the new account to encrypt the backups. Finally, the company configures a new backup plan in the primary account. The destination for the new backup plan is the backup vault in the n...
To ensure that backups can be copied to the new account's backup vault, the following steps must be taken to address the permissions and access control issues:
Option A: Edit the backup vault access policy in the new account to allow access to the primary account.
- Reason: The new backup vault needs to explicitly allow access from the primary account so that the backup can be copied from the primary account to the backup vault in the new account. AWS Backup uses access policies for backup vaults to allow cross-account access, so this is a necessary step.
- Conclusion: This option is correct, as it allows the primary account to send backups to the backup vault in the new account.
Option B: Edit the backup vault access policy in the primary account to allow access to the new account.
- Reason: The backup vault access policy in the primary account is for controlling who can manage backups within the primary account, not for controlling where the backups are copied. The primary account's backup vault doesn't need to grant access to the new account; the relevant permission lies in the new account's vault.
- Conclusion: This option is not correct because the primary account doesn't need to grant permissions on its own backup vault to the new account.
Option C: Edit the backup vault access policy in the primary account to allow access to the KMS key in the new account.
- Reason: The backup vault in the new account is encrypted with a KMS key from the new acco...
Author: RadiantJaguar56 · Last updated May 17, 2026
A company runs an application that uses an Amazon S3 bucket to store images. A DevOps engineer needs to implement a multi-Region strategy for the objects that are stored in the S3 bucket. The company needs to be able to fail over to an S3 bucket in another AWS Region. When an image is added to either S3 bucket, the image must be replicated to the other S3 bucket within 15 minutes.
The DevOp...
In order to meet the requirements of a multi-Region strategy for S3 bucket replication and failover, here are the appropriate steps:
Option A: Enable S3 Replication Time Control (S3 RTC) on each replication rule.
- Reason: S3 RTC ensures that the replication between S3 buckets in different Regions is completed within a defined time frame, such as 15 minutes. This is critical to meet the 15-minute replication requirement specified in the question.
- Conclusion: This option is correct because enabling S3 RTC on the replication rule guarantees timely replication.
Option B: Create an S3 Multi-Region Access Point in an active-passive configuration.
- Reason: An S3 Multi-Region Access Point enables simplified access to S3 data across multiple Regions. However, for a multi-Region failover strategy where two-way replication and seamless failover between Regions are required, a Multi-Region Access Point in an active-passive configuration alone isn't enough, as it primarily serves access, not replication or automatic failover.
- Conclusion: This option is not correct as the primary need is for replication and failover mechanisms.
Option C: Call the SubmitMultiRegionAccessPointRoutes operation in the AWS API when the company needs to fail over to the S3 bucket in the other Region.
- Reason: This operation is used to manage the routing of traffic through the Multi-Region Access Point (MRAP). It is relevant for managing access to the S3 buckets during failover but does not handle the underlying replication or automatic failover of the data itself.
- Conclusion: While this operation may be useful in the future to manage access, it does not directly address the replication or timing requirements for the backup strategy itself.
Option D: Enable S3 Transf...
Author: Sam · Last updated May 17, 2026
A company uses the AWS Cloud Development Kit (AWS CDK) to define its application. The company uses a pipeline that consists of AWS CodePipeline and AWS CodeBuild to deploy the CDK application.
The company wants to introduce unit tests to the pipeline to test various infrastructure components. The company wants to ensure that a deployme...
To ensure that the testing requirement is enforced in the pipeline, we need to focus on running unit tests during the build phase and ensuring that the deployment proceeds only when the tests pass. Here's an explanation of the selected and rejected options:
Option A: Update the CodeBuild build phase commands to run the tests then to deploy the application. Set the OnFailure phase property to ABORT.
- Reason: This is a valid approach. If you want to enforce that the deployment only occurs if the tests pass, you should set the OnFailure phase property to ABORT. This ensures that if the tests fail, the CodeBuild job is terminated, and the deployment does not proceed. This directly satisfies the requirement to ensure the deployment proceeds only if the tests pass.
- Conclusion: This option is correct because it ensures that tests are run first, and if they fail, the deployment is aborted.
Option B: Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the --rollback true flag to the cdk deploy command.
- Reason: The `--rollback true` flag in `cdk deploy` allows for automatic rollback if the deployment fails, but it doesn’t directly help with running unit tests or controlling whether the deployment happens based on test results. This flag is useful for recovery from deployment issues, but it doesn't address the issue of preventing deployment if tests fail.
- Conclusion: This option is not correct because the `--rollback true` flag does not help with the testing requirement in the pipeline.
Option C: Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the --require-approval any-change flag to the cdk deploy command.
- Reason: The `--require-approval any-change` f...
Author: IceDragon2023 · Last updated May 17, 2026
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in multiple Availability Zones. The application was misconfigured in a single Availability Zone, which caused a partial outage of the application.
A DevOps engineer made changes to ensure that the unhealthy EC2 instances in one Availability Zone do not affect the healthy EC2 instances in the other Availability Zones. The DevOps engineer needs to test the applic...
To meet the requirements of ensuring that the ALB avoids sending traffic to the Availability Zone where a failure has occurred, here’s an explanation of the most suitable options:
Option A: Turn off cross-zone load balancing on the ALB. Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone.
- Reason: Disabling cross-zone load balancing on the ALB means that the ALB will send traffic only to EC2 instances in the same Availability Zone as the client request. However, Route 53 Application Recovery Controller can help by performing a zonal shift to ensure traffic is sent away from the affected Availability Zone. This is a valid approach for testing the failover process.
- Conclusion: This option is correct because it ensures the ALB won’t route traffic to the affected Availability Zone, and Route 53's zonal shift can be used to manage traffic routing during failure.
Option B: Turn off cross-zone load balancing on the ALBs target group. Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone.
- Reason: Disabling cross-zone load balancing on the ALB's target group means the load balancer will only route traffic to instances in the same Availability Zone. However, the route shift should apply to the ALB's overall traffic distribution, not just the target group itself. This option may be a step in the right direction, but turning off cross-zone load balancing on the target group alone doesn’t manage the overall failover process correctly.
- Conclusion: This option is less suitable than option A because it focuses on the ...
Author: Maya · Last updated May 17, 2026
A company sends its AWS Network Firewall flow logs to an Amazon S3 bucket. The company then analyzes the flow logs by using Amazon Athena.
The company needs to transform the flow logs and add additional data before the fl...
To meet the requirement of transforming and adding additional data to AWS Network Firewall flow logs before they are delivered to an S3 bucket, we need to choose a solution that allows for data transformation and redelivery to the same bucket. Here's an analysis of the options:
Option A: Create an AWS Lambda function to transform the data and to write a new object to the existing S3 bucket. Configure the Lambda function with an S3 trigger for the existing S3 bucket. Specify all object create events for the event type. Acknowledge the recursive invocation.
- Reason: This option suggests using an AWS Lambda function triggered by object creation in the S3 bucket. Lambda can transform the data and write the transformed log back into the S3 bucket. However, this can result in recursive invocation if the Lambda function writes new objects to the same bucket. This would trigger the Lambda function repeatedly and could cause a loop unless carefully managed.
- Conclusion: This option is feasible but requires careful handling of recursive invocations to avoid infinite loops, which makes it a bit complex and error-prone.
Option B: Enable Amazon EventBridge notifications on the existing S3 bucket. Create a custom EventBridge event bus. Create an EventBridge rule that is associated with the custom event bus. Configure the rule to react to all object create events for the existing S3 bucket and to invoke an AWS Step Functions workflow. Configure a Step Functions task to transform the data and to write the data into a new S3 bucket.
- Reason: EventBridge can react to object creation events in the S3 bucket, and Step Functions can orchestrate the process, including invoking Lambda functions for data transformation. However, this solution requires the data to be written to a new S3 bucket rather than the existing one. This violates the r...
Author: Elizabeth · Last updated May 17, 2026
A DevOps engineer needs to implement integration tests into an existing AWS CodePipeline CI/CD workflow for an Amazon Elastic Container Service (Amazon ECS) service. The CI/CD workflow retrieves new application code from an AWS CodeCommit repository and builds a container image. The Cl/CD workflow then uploads the container image to Amazon Elastic Container Registry (Amazon ECR) with a new image tag version.
The integration tests must ensure that new versions of the service endpoint are reachable and that various API m...
To meet the requirements of integrating tests into an AWS CodePipeline CI/CD workflow for an Amazon ECS service with minimal management overhead, we need to consider how the solution ensures proper deployment, testing, and verification of the service's functionality without introducing unnecessary complexity. Let's go through the options step-by-step:
A) Add a deploy stage to the pipeline. Configure Amazon ECS as the action provider.
- Explanation: This option directly integrates ECS as the deployment mechanism. By adding a deploy stage with ECS as the action provider, you can ensure that the new container image is deployed to the ECS cluster. ECS takes care of the orchestration and task running with minimal management overhead.
- Why it is selected: This option directly addresses the need to deploy the application without adding extra complexity. It allows the integration tests to be run against the deployed service without extra setup.
B) Add a deploy stage to the pipeline. Configure AWS CodeDeploy as the action provider.
- Explanation: CodeDeploy is useful for more complex deployments, such as blue/green or canary deployments, to ensure minimal downtime or risk during updates. It is more suited to environments that require precise control over deployment strategies.
- Why it is rejected: Since the requirement is to test the new service version with minimal overhead, using AWS CodeDeploy would introduce unnecessary complexity and management overhead compared to using ECS directly, which is simpler and already integrated with the environment.
C) Add an appspec.yml file to the CodeCommit repository.
- Explanation: The `appspec.yml` file is used by CodeDeploy for deployment strategies, particularly for blue/green deployments or rolling updates. It specifies deployment instructions for CodeDeploy.
- Why it is rejected: This file would be needed if CodeDeploy were used, but since we are focusing on the least overhead for testing the deployed service on ECS, this step would add unnecessary complexity in the context of ECS integration and testing.
D) Update the image build pipeline stage to output an imagedefinitions.json file that references the new image tag.
- Explanation: The `imagedefin...
Author: Oliver · Last updated May 17, 2026
A company runs applications on Windows and Linux Amazon EC2 instances. The instances run across multiple Availability Zones in an AWS Region. The company uses Auto Scaling groups for each application.
The company needs a durable storage solution for the instances. The solution must use SMB for Windows and must use NFS for Linux. The solution must als...
Let's break down each option to determine which ones meet the company's requirements of durable, shared storage with support for SMB for Windows, NFS for Linux, and sub-millisecond latencies.
A) Create an Amazon Elastic File System (Amazon EFS) file system that has targets in multiple Availability Zones.
- Explanation: Amazon EFS is a scalable, managed file storage service that supports both NFS (Linux) and SMB (Windows) protocols. It can be configured to span multiple Availability Zones, providing high availability and durability. EFS also offers sub-millisecond latencies, making it an excellent solution for the requirements.
- Why it is selected: EFS supports both SMB and NFS, and it is a fully managed service with multi-AZ replication, making it ideal for high durability and low-latency storage across Windows and Linux EC2 instances.
B) Create an Amazon FSx for NetApp ONTAP Multi-AZ file system.
- Explanation: Amazon FSx for NetApp ONTAP is a managed file storage service that supports both SMB (Windows) and NFS (Linux). It also provides high performance and durability by supporting multi-AZ replication.
- Why it is selected: FSx for NetApp ONTAP meets the requirements for SMB and NFS support and provides high-performance storage with low latencies. It’s a good choice for situations where advanced data management features (such as NetApp’s ONTAP) are required. However, FSx generally has a more complex pricing and management model than EFS. This is still a strong candidate for high-performance, multi-protocol file storage.
C) Create a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume to use for shared storage.
- Explanation: Amazon EBS volumes are block-level storage devices designed to be attached to EC2 instances. EBS volumes can be shared only by using Amazon EC2 instances with specific configurations (e.g., using EBS Multi-Attach, but not for shared file systems by default).
- Why it is rejected: EBS is not suitable for use as shared storage for multiple instances, especially for multi-protocol needs like SMB and NFS. It’s designed for single-instanc...
Author: Lina Zhang · Last updated May 17, 2026
A company uses an organization in AWS Organizations that a security team and a DevOps team manage. Both teams access the accounts by using AWS IAM Identity Center.
A dedicated group has been created for each team. The DevOps team's group has been assigned a permission set named DevOps. The permission set has the AdministratorAccess managed IAM policy attached. The permission set has been applied to all accounts in the organization.
The security team wants to ensure that the DevOps team does not have access to IAM Identity Center in the organization's management a...
Let's analyze the options based on the objective: prevent the DevOps team from accessing IAM Identity Center in the organization's management account, while maintaining the necessary permissions for them in other accounts.
A) In the organization's management account, create a new OU. Move the organization's management account to the new OU. Detach the SCP from the organization root. Attach the SCP to the new OU.
- Explanation: This option involves restructuring the AWS Organizations by creating a new Organizational Unit (OU) for the management account, moving it to the new OU, and applying the SCP to this new OU.
- Why it is rejected: Although this approach might seem like it could help isolate the management account, it doesn’t directly solve the problem of limiting access to IAM Identity Center for the DevOps team. This option might also introduce additional complexity by requiring you to restructure the AWS Organization, which is not necessary for this use case.
B) In the organization's management account, update the SCP condition reference to the ARN of the DevOps team's group role to include the AWS account ID of the organization's management account.
- Explanation: This option suggests updating the SCP to include a condition for the DevOps team's role by referencing their ARN and account ID in the management account.
- Why it is rejected: While modifying the SCP to target specific conditions may work in some cases, this approach adds complexity and could potentially lead to mistakes in the policy configuration. The real issue here is the permission set assigned to the DevOps team’s group role in IAM Identity Center, and updating the SCP alone may not fully restrict their access to IAM Identity Center in the management account.
C) In IAM Identity Center, create a new permission set. Ensure that the assigned policy has full access but explicitly denies permission for the sso: action and the sso-directory: action. Update the assigned permission set for the DevOps team's group role in the organization's management account. Delete the SCP.
- Explanation: This option proposes updating t...
Author: MysticJaguar44 · Last updated May 17, 2026
An Amazon EC2 Auto Scaling group manages EC2 instances that were created from an AMI. The AMI has the AWS Systems Manager Agent installed. When an EC2 instance is launched into the Auto Scaling group, tags are applied to the EC2 instance.
EC2 instances that are launched by the...
Analyzing the options based on the requirements:
The main goal is to ensure that EC2 instances launched by the Auto Scaling group have the correct operating system configuration, which includes proper patching, configurations, and ensuring compliance. The systems must also be managed and automated without requiring manual intervention after launch.
A) Create a Systems Manager Run Command document that configures the desired instance configuration. Set up Systems Manager Compliance to invoke the Run Command document when the EC2 instances are not in compliance with the most recent patches.
- Explanation: This solution uses Systems Manager Run Command to configure instances and then invokes the document to ensure compliance. However, this solution requires a manual invocation of the Run Command when instances are out of compliance with patching.
- Why it's rejected: The main concern is that this solution is reactive. It only triggers after the EC2 instance is already out of compliance with patches or configurations. It doesn't enforce configuration or patch management immediately after the instance launch, so it may not be proactive enough to meet the requirement of ensuring the correct operating system configuration when the instances are launched by Auto Scaling.
B) Create a Systems Manager State Manager association that links to the Systems Manager command document. Create a tag query that runs immediately.
- Explanation: Systems Manager State Manager automates configuration tasks, and by linking it with a command document, you can ensure configuration management runs automatically on instances. The tag query allows State Manager to target EC2 instances based on tags.
- Why it’s selected: This option is proactive and automatically applies the desired configuration when instances are launched. State Manager allows you to maintain the desired configuration over time, and it can automatically enforce compliance as soon as an instance is created by the Auto Scaling group. This solution aligns well with the requirement of ensuring that EC2 instances have the correct operating system configuration at launch.
...
Author: FrozenWolf2022 · Last updated May 17, 2026
A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU, and the Engineering OU.
The company has many AWS accounts in the Engineering OU. Each account has an administrative IAM role with the AdministratorAccess IAM policy attached. The default FullAWSAccessPolicy is also attached to each account.
A DevOps engineer plans to remove the FullAWSAccess policy fro...
Analyzing the Situation
The company uses AWS Organizations to manage multiple AWS accounts in a hierarchical structure. Each account has administrative IAM roles with `AdministratorAccess` attached, and the FullAWSAccess policy is applied at different levels in the organizational structure.
Now, the plan is for the DevOps engineer to remove the FullAWSAccess policy from the Department OU and replace it with a policy that only allows Amazon EC2 API operations (effectively an `Allow` statement for EC2).
Key Details:
- FullAWSAccess policy: This is a policy that likely grants broad permissions (potentially allowing all API actions on all resources).
- AdministratorAccess IAM policy: The accounts have administrative roles that allow full access to AWS resources within the account.
- New policy: Replacing FullAWSAccess with a policy granting only EC2 API operations will be applied to all accounts in the Department OU, specifically for actions on EC2 resources.
Analyzing the Effects:
When the FullAWSAccess policy is removed from the Department OU and replaced with a more restrictive policy allowing only EC2 API operations, the following will happen:
- AdministratorAccess policy still grants full administrative permissions in each account within the Engineering OU. This is because IAM roles are attached at the account level, not the organizational level. So, accounts can still perform all API actions on all resources unless explicitly restricted by an SCP or other policy.
- The new policy attached at the Department OU level (restricting permissions to EC2) does not affect the administrative roles directly in the accounts i...
Author: Samuel · Last updated May 17, 2026
A company manages AWS accounts in AWS Organizations. The company needs a solution to send Amazon CloudWatch Logs data to an Amazon S3 bucket in a dedicated AWS account. The solution must support all existi...
To address this requirement, we need a solution that can send Amazon CloudWatch Logs from multiple AWS accounts within AWS Organizations to a dedicated Amazon S3 bucket. The solution must be able to handle both existing and future log groups across all accounts.
Explanation of Each Option:
A) Enable Organizations backup policies to back up all log groups to a dedicated S3 bucket. Add an S3 bucket policy that allows access from all accounts that belong to the company.
- Analysis: AWS Backup does not directly support backing up CloudWatch Logs. It's primarily designed for backing up resources like EC2 instances, RDS databases, and EBS volumes. This would not be a valid solution because AWS Backup doesn't have native integration with CloudWatch Logs.
- Why Rejected: AWS Backup doesn't support CloudWatch Logs, and it is not designed for this use case.
B) Create a backup plan in AWS Backup. Specify a dedicated S3 bucket as a backup vault. Assign all CloudWatch Logs log group resources to the backup plan. Create resource assignments in the backup plan for all accounts that belong to the company.
- Analysis: As mentioned earlier, AWS Backup does not support CloudWatch Logs as a backup resource. Therefore, even though the solution outlines creating a backup plan, AWS Backup cannot be used to back up CloudWatch Logs to S3.
- Why Rejected: AWS Backup cannot back up CloudWatch Logs, so this solution wouldn't meet the requirement.
C) Create a backup plan in AWS Backup. Specify a dedicated S3 bucket as a backup vault. Assign all existing log groups to the backup plan. Create resource assignments in the backup plan for all accounts that belong to the company. Create an AWS Systems Manager Automation runbook to assign log groups to a backup plan. Create an AWS Config r...
Author: James · Last updated May 17, 2026
A DevOps engineer manages a Java-based application that runs in an Amazon Elastic Container Service (Amazon ECS) cluster on AWS Fargate. Auto scaling has not been configured for the application.
The DevOps engineer has determined that the Java Virtual Machine (JVM) thread count is a good indicator of when to scale the application. The application serves customer traffic on port 8080 and makes JVM metrics available on port 9404.
Application use...
Let's analyze the available options to determine the best solutions that meet the requirements with the least operational overhead:
Option A: Deploy the Amazon CloudWatch agent as a container sidecar. Configure the CloudWatch agent to retrieve JVM metrics from port 9404. Create CloudWatch alarms on the JVM thread count metric to scale the application. Add a step scaling policy in Fargate to scale up and scale down based on the CloudWatch alarms.
- Analysis: This solution involves deploying the CloudWatch agent as a sidecar container to collect JVM metrics directly from port 9404. CloudWatch alarms can then be set up based on the JVM thread count to trigger auto scaling through Fargate. Step scaling policies in Fargate can be configured to handle scale-up and scale-down actions based on the alarms.
- Why Selected: This approach is simple and uses built-in AWS services (CloudWatch and Fargate) without requiring additional setup or complex integrations. It directly addresses the need to monitor JVM metrics (which are exposed on port 9404) and use them to scale the application efficiently. The operational overhead is low since it leverages native AWS integrations.
Option B: Deploy the Amazon CloudWatch agent as a container sidecar. Configure a metric filter for the JVM thread count metric on the CloudWatch log group for the CloudWatch agent. Add a target tracking policy in Fargate. Select the metric from the metric filter as a scale target.
- Analysis: This solution involves deploying the CloudWatch agent as a sidecar to collect metrics, but instead of creating alarms, it uses a metric filter to extract the JVM thread count metric from CloudWatch logs. A target tracking policy in Fargate would then be used to scale based on this metric.
- Why Rejected: This option introduces unnecessary complexity by using metric filters on CloudWatch logs. The preferred approach would be to directly use CloudWatch alarms for scaling, as it is more straightforward and easier to manage. Using logs for metric filtering also adds overhead for managing logs and parsing them, which increases complexity.
Option C: Create an Amazon Managed Service for Prometheus workspace. Deploy AWS Distro for OpenTelemetry as a container sidecar to publish the JVM metrics from port 9404 to the Prometheus workspace. Configure r...
Author: Leah · Last updated May 17, 2026
A company has an application that runs in a single AWS Region. The application runs on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and connects to an Amazon Aurora MySQL cluster. The application is built in an AWS CodeBuild project. The container images are published to Amazon Elastic Container Registry (Amazon ECR).
The company needs to replicate the state of t...
To replicate the state of the application in a second AWS Region, the company needs to ensure both the container images and the database are replicated efficiently and operationally. Let’s evaluate each option based on the factors of operational efficiency, scalability, and ease of implementation.
Explanation of Each Option:
A) Turn on Amazon S3 Cross-Region Replication (CRR) on the bucket that holds the ECR container images. Deploy the application to an EKS cluster in the second Region by referencing the new S3 bucket object URL for the container image in a Kubernetes deployment file. Configure a cross-Region Aurora Replica in the second Region. Configure the new application deployment to use the endpoints for the cross-Region Aurora Replica.
- Analysis:
- ECR doesn’t directly store container images in Amazon S3. While it's possible to enable S3 CRR, this would not apply to ECR. So, the solution of replicating ECR images via S3 CRR is flawed.
- Setting up a cross-Region Aurora Replica is a valid approach, but the S3-based container image replication is not feasible in this context.
- Why Rejected: Misuse of S3 Cross-Region Replication for ECR and unnecessary complexity.
B) Create an Amazon EventBridge rule that reacts to image pushes to the ECR repository. Configure the EventBridge rule to invoke an AWS Lambda function to replicate the image to a new ECR repository in the second Region. Deploy the application to an EKS cluster in the second Region by referencing the new ECR repository in a Kubernetes deployment file. Configure a cross-Region Aurora Replica in the second Region. Configure the new application deployment to use the endpoints for the cross-Region Aurora Replica.
- Analysis:
- Using EventBridge to trigger Lambda to replicate ECR images to a second Region is a valid and automated solution.
- However, creating a cross-Region Aurora Replica in the second Region is correct, but this adds operational complexity due to the need for managing both the image replication and database replication processes separately.
- While this approach is operationally viable, it is somewhat more complex than necessary.
- Why Rejected: Functional but adds operational complexity with managing multiple event-driven processes.
C) Turn on Cross-Region Replication to replicate the ECR...
