A developer is implementing authentication and authorization for an application. The developer needs to ensure that the user credentials are never exposed.
Which approach should the developer take to meet this requirement?

A. Store the user credentials in Amazon DynamoDB. Build an AWS Lambda function to validate the credentials and authorize users.
B. Deploy a custom authentication and authorization API on an Amazon EC2 instance. Store the user credentials in Amazon S3 and encrypt the credentials using Amazon S3 server-side encryption.
C. Use Amazon Cognito to configure a user pool, and user the Cognito API to authenticate and authorize the user.
D. Store the user credentials in Amazon RDS. Enable the encryption option for the Amazon RDS DB instances. Build an API using AWS Lambda to validate the credentials and authorize users.

A developer is designing a distributed application built using a microservices architecture spanning multiple AWS accounts. The company’s operations team wants to analyze and debug application issues from a centralized account.
How can the developer meet these requirements?

A. Use an Amazon X-Ray agent with role assumption to publish data into the centralized account.
B. Use Amazon X-Ray and create a new IAM user to publish the access keys into the centralized account.
C. Use VPC Flow Logs to collect applications logs across different accounts.
D. Enable AWS CloudTrail to publish the trails in an Amazon S3 bucket in the centralized account.

A developer is monitoring an application running on an Amazon EC2 instance. The application accesses an Amazon DynamoDB table and the developer has configured a custom Amazon CloudWatch metric with data granularity of 1 second. If there are any issues, the developer wants to be notified within 30 seconds using Amazon SNS.
Which CloudWatch mechanism will satisfy this requirement?

A. Configure a high-resolution CloudWatch alarm.
B. Set up a custom AWS Lambda CloudWatch log.
C. Use a Cloud Watch stream.
D. Change to a default CloudWatch metric.

A video-hosting website has two types of members: those who pay a fee, and those who do not. Each video upload places a message in Amazon SQS. A fleet of Amazon EC2 instances polls Amazon SQS and processes each video.
The developer needs to ensure that the videos uploaded by the paying members are processed first.
How can the developer meet this requirement?

A. Create two SQS queues; one for paying members, and one for non-paying members. Poll the paying member queue first and then poll the non-paying member queue.
B. Use SQS to set priorities on individual items within a single queue; give the paying members’ videos the highest priority.
C. Use SQS to set priorities on individual items within a single queue and use Amazon SNS to encode the videos.
D. Create two Amazon SNS topics: one for paying members and one for non-paying members. Use SNS topic subscription priorities to differentiate between the two types of members.

A developer is building an application that will run on Amazon EC2 instances. The application needs to connect to an Amazon DynamoDB table to read and write records. The security team must periodically rotate access keys.
Which approach will satisfy these requirements?

A. Create an IAM role with read and write access to the DynamoDB table. Generate access keys for the user and store the access keys in the application as environment variables.
B. Create an IAM user with read and write access to the DynamoDB table. Store the user name and password in the application and generate access keys using an AWS SDK.
C. Create an IAM role, configure read and write access for the DynamoDB table, and attach to the EC2 instances.
D. Create an IAM user with read and write access to the DynamoDB table. Generate access keys for the user and store the access keys in the application as a credentials file.

A developer is building an application on Amazon EC2. The developer encountered an “Access Denied” error on some of the API calls to AWS services while testing. The developer needs to modify permissions that have been already given to the instance.
How can these requirements be met with minimal changes and minimum downtime?

A. Make a new IAM role with the needed permissions. Stop the instance. Attach the new IAM role to the instance. Start the instance.
B. Delete the existing IAM role. Attach a new IAM role with the needed permissions.
C. Stop the instance. Update the attached IAM role adding the needed permissions. Start the instance.
D. Update the attached IAM role adding the needed permissions.

A developer must build a mobile application that allows users to read and write data from an Amazon DynamoDB table to store user state for each unique user. The solution needs to limit data access to allow users access only to their own data.
Which solution below is the most secure?

A. Embed AWS access credentials into the application and create DynamoDB queries that limit user access.
B. Use Amazon Cognito identity pools to assign unique identifiers and provide user access.
C. Modify the DynamoDB table to allow public read and writes, then add client-side filtering.
D. Create a web portal for users to create an account on AWS Directory Service.

How does Envelope Encryption work in AWS KMS?

A. The Customer Master Key is used to encrypt/decrypt a data key. The Plaintext Data Key is used to encrypt customer data.
B. Two encryption keys are used. The Customer Master Key encrypts customer data. The Data Key is used to re-encrypt the encrypted data.
C. Two encryption keys are used. The Data Key encrypts customer data. The Сustomer Master Key is used to re-encrypt the encrypted data.
D. The Customer Master Key is used to encrypt/decrypt a data key. The Encrypted Data Key is used to encrypt customer data.

A developer is building an application integrating an Amazon API Gateway with an AWS Lambda function. When calling the API, the developer receives the following error:
Wed Nov 08 01:13:00 UTC 2017 : Method completed with status: 502
What should the developer do to resolve the error?

A. Change the HTTP endpoint of the API to an HTTPS endpoint
B. Change the format of the payload sent to the API Gateway
C. Change the format of the Lambda function response to the API call
D. Change the authorization header in the API call to access the Lambda function

Which techniques will help mitigate this exception? (Choose two.)

A. Implement retries with exponential backoff
B. Use a PutRecord API instead of PutRecords
C. Reduce the frequency and/or size of the requests
D. Use Amazon SNS instead of Kinesis
E. Reduce the number of KCL consumers