An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay? (Choose two.)

1. A. Check the ApproximateAgeOfOldestMessage metric for the SQS queu
2. B. Increase the Lambda function concurrency limit.
3. C. Check the ApproximateAgeOfOldestMessage metnc for the SQS queue Configure a redrive policy on the SQS queue.
4. D. Check the NumberOfMessagesSent metric for the SQS queu
5. E. Increase the SQS queue visibility timeout.
6. F. Check the WriteThrottleEvents metric for the DynamoDB tabl
7. G. Increase the maximum write capacity units (WCUs) for the table's scaling policy.
8. H. Check the Throttles metric for the Lambda functio
9. I. Increase the Lambda function timeout.

Correct Answer: AD
A: If the ApproximateAgeOfOldestMessages indicate that orders are remaining in the SQS queue for longer than expected, the reserved concurrency limit may be set too small to keep up with the number of orders entering the queue and is being throttled. D: The DynamoDB table is using Auto Scaling. With Auto Scaling, you create a scaling policy that specifies whether you want to scale read capacity or write capacity (or both), and the minimum and maximum provisioned capacity unit settings for the table. The ThottledWriteRequests metric will indicate if there is a throttling issue on the DynamoDB table, which can be resolved by increasing the maximum write capacity units for the table's Auto Scaling policy. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html

A company's security policies require the use of security hardened AMIS in production environments. A DevOps engineer has used EC2 Image Builder to create a pipeline that builds the AMIs on a recurring schedule.
The DevOps engineer needs to update the launch templates of the companys Auto Scaling groups. The Auto Scaling groups must use the newest AMIS during the launch of Amazon EC2 instances.
Which solution will meet these requirements with the MOST operational efficiency?

1. A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builde
2. B. Target an AWS Systems Manager Run Command document that updates the launch templates of the Auto Scaling groups with the newest AMI ID.
3. C. Configure an Amazon EventBridge rule to receive new AMI events from Image Builde
4. D. Target an AWS Lambda function that updates the launch templates of the Auto Scaling groups with the newest AMI ID.
5. E. Configure the launch template to use a value from AWS Systems Manager Parameter Store for the AMI I
6. F. Configure the Image Builder pipeline to update the Parameter Store value with the newest AMI ID.
7. G. Configure the Image Builder distribution settings to update the launch templates with the newest AMI I
8. H. Configure the Auto Scaling groups to use the newest version of the launch template.

Correct Answer: C
✑ The most operationally efficient solution is to use AWS Systems Manager Parameter Store1 to store the AMI ID and reference it in the launch template2. This way, the launch template does not need to be updated every time a new AMI is created by Image Builder. Instead, the Image Builder pipeline can update the Parameter Store value with the newest AMI ID3, and the Auto Scaling group can launch instances using the latest value from Parameter Store.
✑ The other solutions require updating the launch template or creating a new version of it every time a new AMI is created, which adds complexity and overhead. Additionally, using EventBridge rules and Lambda functions or Run Command documents introduces additional dependencies and potential points of failure.
References: 1: AWS Systems Manager Parameter Store 2: Using AWS Systems Manager parameters instead of AMI IDs in launch templates 3: Update an SSM parameter with
Image Builder

A company is implementing an Amazon Elastic Container Service (Amazon ECS) cluster to run its workload. The company architecture will run multiple ECS services on the cluster. The architecture includes an Application Load Balancer on the front end and uses multiple target groups to route traffic.
A DevOps engineer must collect application and access logs. The DevOps engineer then needs to send the logs to an Amazon S3 bucket for near-real-time analysis.
Which combination of steps must the DevOps engineer take to meet these requirements? (Choose three.)

1. A. Download the Amazon CloudWatch Logs container instance from AW
2. B. Configure this instance as a tas
3. C. Update the application service definitions to include the logging task.
4. D. Install the Amazon CloudWatch Logs agent on the ECS instance
5. E. Change the logging driver in the ECS task definition to awslogs.
6. F. Use Amazon EventBridge to schedule an AWS Lambda function that will run every 60 seconds and will run the Amazon CloudWatch Logs create-export-task comman
7. G. Then point the output to the logging S3 bucket.
8. H. Activate access logging on the AL
9. I. Then point the ALB directly to the logging S3 bucket.
10. J. Activate access logging on the target groups that the ECS services us
11. K. Then send the logs directly to the logging S3 bucket.
12. L. Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucke
13. M. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.

Correct Answer: BDF
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-logging-monitoring.html

AnyCompany is using AWS Organizations to create and manage multiple AWS accounts AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp.
AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message "Invalid information in one or more fields. Check your information or contact your administrator."
Which solution will give the DevOps engineer access to the new member account?

1. A. In the management account, grant the DevOps engineer's IAM user permission to assume the OrganzatlonAccountAccessR01e IAM role in the new member account.
2. B. In the management account, create a new SCR In the SCP, grant the DevOps engineer's IAM user full access to all resources in the new member accoun
3. C. Attach the SCP to the OU that contains the new member account,
4. D. In the new member account, create a new IAM role that is named OrganizationAccountAccessRol
5. E. Attach the AdmInistratorAccess AVVS managed policy to the rol
6. F. In the role's trust policy, grant the management account permission to assume the role.
7. G. In the new member account edit the trust policy for the Organ zationAccountAccessRole IAM rol
8. H. Grant the management account permission to assume the role.

Correct Answer: C
The problem is that the DevOps engineer cannot assume the OrganizationAccountAccessRole IAM role in the new member account that joined AnyCompany’s management account through an Organizations invitation. The solution is to create a new IAM role with the same name and trust policy in the new member account.
✑ Option A is incorrect, as it does not address the root cause of the error. The DevOps engineer’s IAM user already has permission to assume the OrganizationAccountAccessRole IAM role in any member account, as this is the default role name that AWS Organizations creates when a new account joins an organization. The error occurs because the new member account does not have this role, as it was not created by AWS Organizations.
✑ Option B is incorrect, as it does not address the root cause of the error. An SCP is a policy that defines the maximum permissions for account members of an organization or organizational unit (OU). An SCP does not grant permissions to IAM users or roles, but rather limits the permissions that identity-based policies or resource-based policies grant to them. An SCP also does not affect how IAM roles are assumed by other principals.
✑ Option C is correct, as it addresses the root cause of the error. By creating a new IAM role with the same name and trust policy as the OrganizationAccountAccessRole IAM role in the new member account, the DevOps engineer can assume this role and access the account. The new role should have the AdministratorAccess AWS managed policy attached, which grants full access to all AWS resources in the account. The trust policy should allow the management account to assume the role, which can be done by specifying the management account ID as a principal in the policy statement.
✑ Option D is incorrect, as it assumes that the new member account already has the OrganizationAccountAccessRole IAM role, which is not true. The new member account does not have this role, as it was not created by AWS Organizations. Editing the trust policy of a non-existent role will not solve the problem.

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?

1. A. Launch the instances in a public subnet with Elastic IP addresses attache
2. B. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
3. C. Set up a NAT gatewa
4. D. Deploy the EC2 instances to a private subne
5. E. Update the private subnet's route table to use the NAT gateway as the default route.
6. F. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
7. G. Create a security group for the application instances and allow only outbound traffic to the artifact repositor
8. H. Remove the security group rule once the install is complete.

Correct Answer: C
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1- https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for- amazon-s3/