A company is storing 100 GB of log data in csv format in an Amazon S3 bucket SQL developers want to query this data and generate graphs to visualize it. The SQL developers also need an efficient automated way to store metadata from the csv file.
Which combination of steps will meet these requirements with the LEAST amount of effort? (Select THREE.)

1. A. Fitter the data through AWS X-Ray to visualize the data.
2. B. Filter the data through Amazon QuickSight to visualize the data.
3. C. Query the data with Amazon Athena.
4. D. Query the data with Amazon Redshift.
5. E. Use the AWS Glue Data Catalog as the persistent metadata store.
6. F. Use Amazon DynamoDB as the persistent metadata store.

Correct Answer: BCE
https://docs.aws.amazon.com/glue/latest/dg/components-overview.html

A company runs a workload on Amazon EC2 instances. The company needs a control that requires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2 instance must be terminated.
Which solution will meet these requirements?

1. A. Set up AWS Config in the accoun
2. B. Use a managed rule to check EC2 instance
3. C. Configure the rule to remediate the findings by using AWS Systems Manager Automation to terminate the instance.
4. D. Create a permissions boundary that prevents the ec2:Runlnstance action if the ec2:MetadataHttpTokens condition key is not set to a value of require
5. E. Attach the permissions boundary to the IAM role that was used to launch the instance.
6. F. Set up Amazon Inspector in the accoun
7. G. Configure Amazon Inspector to activate deep inspection for EC2 instance
8. H. Create an Amazon EventBridge rule for an Inspector2 findin
9. I. Set an AWS Lambda function as the target to terminate the instance.
10. J. Create an Amazon EventBridge rule for the EC2 instance launch successful even
11. K. Send the event to an AWS Lambda function to inspect the EC2 metadata and to terminate the instance.

Correct Answer: B
To implement a control that requires the use of IMDSv2 on all EC2 instances in the account, the DevOps engineer can use a permissions boundary. A permissions boundary is a policy that defines the maximum permissions that an IAM entity can have. The DevOps engineer can create a permissions boundary that prevents the ec2:RunInstance action if the ec2:MetadataHttpTokens condition key is not set to a value of required. This condition key enforces the use of IMDSv2 on EC2 instances. The DevOps engineer can attach the permissions boundary to the IAM role that was used to launch the instance. This way, any attempt to launch an EC2 instance without using IMDSv2 will be denied by the permissions boundary.

A company uses an organization in AWS Organizations that has all features enabled. The company uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to encrypt the backups.
The company needs to automate a cross-account backup of the resources that AWS Backup backs up in the primary account. The company configures cross-account backup in the Organizations management account. The company creates a new AWS account in the organization and configures an AWS Backup backup vault in the new account. The company creates a KMS key in the new account to encrypt the backups. Finally, the company configures a new backup plan in the primary account. The destination for the new backup plan is the backup vault in the new account.
When the AWS Backup job in the primary account is invoked, the job creates backups in the primary account. However, the backups are not copied to the new account's backup vault.
Which combination of steps must the company take so that backups can be copied to the new account's backup vault? (Select TWO.)

1. A. Edit the backup vault access policy in the new account to allow access to the primary account.
2. B. Edit the backup vault access policy in the primary account to allow access to the new account.
3. C. Edit the backup vault access policy in the primary account to allow access to the KMS key in the new account.
4. D. Edit the key policy of the KMS key in the primary account to share the key with the new account.
5. E. Edit the key policy of the KMS key in the new account to share the key with the primary account.

Correct Answer: AE
To enable cross-account backup, the company needs to grant permissions to both the backup vault and the KMS key in the destination account. The backup vault access policy in the destination account must allow the primary account to copy backups into the vault. The key policy of the KMS key in the destination account must allow the primary account to use the key to encrypt and decrypt the backups. These steps are described in the AWS documentation12. Therefore, the correct answer is A and E.
References:
✑ 1: Creating backup copies across AWS accounts - AWS Backup
✑ 2: Using AWS Backup with AWS Organizations - AWS Backup

A company is examining its disaster recovery capability and wants the ability to switch over its daily operations to a secondary AWS Region. The company uses AWS CodeCommit as a source control tool in the primary Region.
A DevOps engineer must provide the capability for the company to develop code in the secondary Region. If the company needs to use the secondary Region, developers can add an additional remote URL to their local Git configuration.
Which solution will meet these requirements?

1. A. Create a CodeCommit repository in the secondary Regio
2. B. Create an AWS CodeBuild project to perform a Git mirror operation of the primary Region's CodeCommit repository to the secondary Region's CodeCommit repositor
3. C. Create an AWS Lambda function that invokes the CodeBuild projec
4. D. Create an Amazon EventBridge rule that reacts to merge events in the primary Region's CodeCommit repositor
5. E. Configure the EventBridge rule to invoke the Lambda function.
6. F. Create an Amazon S3 bucket in the secondary Regio
7. G. Create an AWS Fargate task to perform a Git mirror operation of the primary Region's CodeCommit repository and copy the result to the S3 bucke
8. H. Create an AWS Lambda function that initiates the Fargate tas
9. I. Create an Amazon EventBridge rule that reacts to merge events in the CodeCommitrepositor
10. J. Configure the EventBridge rule to invoke the Lambda function.
11. K. Create an AWS CodeArtifact repository in the secondary Regio
12. L. Create an AWS CodePipeline pipeline that uses the primary Region's CodeCommit repository for the source actio
13. M. Create a Cross-Region stage in the pipeline that packages the CodeCommit repository contents and stores the contents in the CodeArtifact repository when a pull request is merged into the CodeCommit repository.
14. N. Create an AWS Cloud9 environment and a CodeCommit repository in the secondary Regio
15. O. Configure the primary Region's CodeCommit repository as a remote repository in the AWS Cloud9 environmen
16. P. Connect the secondary Region's CodeCommit repository to the AWS Cloud9 environment.

Correct Answer: A
The best solution to meet the disaster recovery capability and allow developers to switch over to a secondary AWS Region for code development is option A. This involves creating a CodeCommit repository in the secondary Region and setting up an AWS CodeBuild project to perform a Git mirror operation of the primary Region’s CodeCommit repository to the secondary Region’s repository. An AWS Lambda function is then created to invoke the CodeBuild project. Additionally, an Amazon EventBridge rule is configured to react to merge events in the primary Region’s CodeCommit repository and invoke the Lambda function12. This setup ensures that the secondary Region’s repository is always up-to-date with the primary repository, allowing for a seamless transition in case of a disaster recovery event1.
References:
✑ AWS CodeCommit User Guide on resilience and disaster recovery1.
✑ AWS Documentation on monitoring CodeCommit events in Amazon EventBridge and Amazon CloudWatch Events2.

A company's development team uses AVMS Cloud Formation to deploy its application resources The team must use for an changes to the environment The team cannot use AWS Management Console or the AWS CLI to make manual changes directly.
The team uses a developer IAM role to access the environment The role is configured with the Admnistratoraccess managed policy. The company has created a new Cloudformationdeployment IAM role that has the following policy.

The company wants ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.
Which combination of steps meet these requirements? (Select THREE.)

1. A. Remove the AdministratorAccess polic
2. B. Assign the ReadOnIyAccess managed IAM policy to the developer rol
3. C. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks.
4. D. Update the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDepoyment role.
5. E. Configure the IAM to be to get and pass the CloudFormationDeployment role if cloudformation actions for resources,
6. F. Update the trust Of the CloudFormationDepoyment role to anow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeR01e action
7. G. Remove me Administratoraccess polic
8. H. Assign the ReadOnly/Access managed IAM policy to the developer role Instruct the developers to assume the CloudFormatondeployment role when the developers new stacks
9. I. Add an IAM policy to CloudFormationDeplyment to allow cloudformation * on an Add a policy that allows the iam.PassR01e action for ARN of if iam PassedT0Service equal cloudformation.amazonaws.com

Correct Answer: ADF
A comprehensive and detailed explanation is:
✑ Option A is correct because removing the AdministratorAccess policy and assigning the ReadOnlyAccess managed IAM policy to the developer role is a valid way to prevent the developers from making any manual changes to the deployed resources. The AdministratorAccess policy grants full access to all AWS resources and actions, which is not necessary for the developers. The ReadOnlyAccess policy grants read-only access to most AWS resources and actions, which is sufficient for the developers to view the status of their stacks. Instructing the developers to use the CloudFormationDeployment role as a CloudFormation service role when they deploy new stacks is also a valid way to ensure that only CloudFormation can use the new role. A CloudFormation service role is an IAM role that allows CloudFormation to make calls to resources in a stack on behalf of the user1. The user can specify a service role when they create or update a stack, and CloudFormation will use that role’s credentials for all operations that are performed on that stack1.
✑ Option B is incorrect because updating the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The trust of CloudFormationDeployment role should only allow the cloudformation.amazonaws.com AWS principal to assume the role, as in option D.
✑ Option C is incorrect because configuring the IAM user to be able to get and pass the CloudFormationDeployment role if cloudformation actions for resources is not a valid solution. This would allow the developers to manually pass the CloudFormationDeployment role to other services or resources, which is not what the company wants. The IAM user should only be able to pass the CloudFormationDeployment role as a service role when they create or update a stack with CloudFormation, as in option A.
✑ Option D is correct because updating the trust of CloudFormationDeployment role
to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action is a valid solution. This allows CloudFormation to assume the CloudFormationDeployment role and access resources in other services on behalf of the user2. The trust policy of an IAM role defines which entities can assume the role2. By specifying cloudformation.amazonaws.com as the principal, you grant permission only to CloudFormation to assume this role.
✑ Option E is incorrect because instructing the developers to assume the
CloudFormationDeployment role when they deploy new stacks is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The developers should only use the CloudFormationDeployment role as a service role when they deploy new stacks with CloudFormation, as in option A.
✑ Option F is correct because adding an IAM policy to CloudFormationDeployment
that allows cloudformation:* on all resources and adding a policy that allows the iam:PassRole action for ARN of CloudFormationDeployment if iam:PassedToService equals cloudformation.amazonaws.com are valid solutions. The first policy grants permission for CloudFormationDeployment to perform any action with any resource using cloudformation.amazonaws.com as a service principal3. The second policy grants permission for passing this role only if it is passed by cloudformation.amazonaws.com as a service principal4. This ensures that only CloudFormation can use this role.
References:
✑ 1: AWS CloudFormation service roles
✑ 2: How to use trust policies with IAM roles
✑ 3: AWS::IAM::Policy
✑ 4: IAM: Pass an IAM role to a specific AWS service