A company designs a mobile app to run on AWS. The app will run on Amazon EC2 instances behind an Application Load Balancer. The instances will run in an Amazon EC2 Auto Scaling group. The app must securely access data that the company stores in Amazon DynamoDB.
Which solution is MOST secure?

A. Create an Amazon Cognito user pool for the mobile app users. Attach an IAM policy that has the required DynamoDB permissions to the user pool.
B. Create an AWS Lambda authorizer with the required DynamoDB permissions. Attach the Lambda authorizer to the Application Load Balancer.
C. Create an IAM user for each mobile user. Attach an IAM policy that provides the required DynamoDB permissions to each IAM user.
D. Create an IAM role. Attach a policy with the required DynamoDB permissions to the role. Configure the EC2 Auto Scaling launch template to attach the role to all EC2 instances.

A company deploys a local news website on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to implement authentication for viewers through well-known social identity providers (IdPs). The company's development team must use AWS native services in the solution.
Which combination of actions will meet these requirements? (Choose two.)

A. Configure Amazon Cognito user pools with social IdPs
B. Configure OpenID Connect (OIDC)-compliant IdP endpoints
C. Create an AWS Lambda authorizer as a target in the ALB target group
D. Configure an ALB listener to add a rule for authentication
E. Use Lambda@Edge to authorize viewer requests in the ALB

While developing an application that runs on Amazon EC2 in an Amazon VPC, a Developer identifies the need for centralized storage of application-level logs.
Which AWS service can be used to securely store these logs?

A. Amazon EC2 VPC Flow Logs
B. Amazon CloudWatch Logs
C. Amazon CloudSearch
D. AWS CloudTrail

A developer has an application that makes batch requests directly to Amazon DynamoDB by using the BatchGetltem low-level API operation. The responses frequently return values in the UnprocessedKeys element.
Which actions should the developer take to increase the resiliency of the application when the batch response includes values in UnprocessedKeys? (Choose two.)

A. Retry the batch operation immediately.
B. Retry the batch operation with exponential backoff and randomized delay.
C. Update the application to use an AWS software development kit (AWS SDK) to make the requests.
D. Increase the provisioned read capacity of the DynamoDB tables that the operation accesses.
E. Increase the provisioned write capacity of the DynamoDB tables that the operation accesses.

A website allows users to upload photos to Amazon S3. An S3 event invokes an AWS Lambda function that uses the Amazon Rekognition DetectLabels operation to detect real-world objects within a photo. The website needs to store this data in a search index to allow users to quickly locate all photos associated with a label.
Which solution will meet these requirements?

A. Store username and label values as S3 object tags. Retrieve and index the objects based on the tag by calling the describe-tags API with the username and label value.
B. Store username and label values as S3 object metadata keys. Include the "x-amz-meta-" prefix for each key. Search by metadata to find all the objects that share the username and label value.
C. Insert an item for each S3 key, label, and user combination into an Amazon DynamoDB table. Create a global secondary index with the username as the partition key and the label as the sort key. Call the QueryItem API on the index to find all the objects that share the username and label value
D. Insert an item for each S3 key, label, and user combination into an Amazon DynamoDB global secondary index. Define the username as the partition key. Define the label as the sort key. Call the QueryItem API on the index to find all the objects that share the username and label value.

A company is building a serverless microservice for an existing application that uses AWS Lambda functions and Amazon API Gateway. The microservice needs to automate an on-premises identity provider (IdP) that supports the OpenID Connect (OIDC) standard.
What should the company do to implement the API authorization mechanism with the LEAST operational overhead?

A. Use an API Gateway HTTP API to invoke the Lambda functions. Set the JSON Web Token (JWT) issuer as the public OIDC endpoint of the on-premises IdP.
B. Use an API Gateway HTTP API to invoke the Lambda functions. Create an Amazon Cognito identity pool. Create a federation between the identity pool and the on-premises IdP. Set the identity pool as the JSON Web Token (JWT) issuer.
C. Use an API Gateway REST API to invoke the Lambda functions. Configure the JSON Web Token (JWT) issuer to link to the on-premises IdP over the public internet.
D. Use an API Gateway REST API to invoke the Lambda functions. Create an Amazon Cognito identity pool. Create a federation between the identity pool and the on-premises IdP. Set Amazon Cognito as the authorizer.

A company is using AWS CloudFormation to deploy a two-tier application. The application will use Amazon RDS as its backend database. The company wants a solution that will randomly generate the database password during deployment. The solution also must automatically rotate the database password without requiring changes to the application.
What is the MOST operationally efficient solution that meets these requirements?

A. Use an AWS Lambda function as a CloudFormation custom resource to generate and rotate the password.
B. Use an AWS Systems Manager Parameter Store resource with the SecureString data type to generate and rotate the password.
C. Use a cron daemon on the application's host to generate and relate the password.
D. Use an AWS Secrets Manager resource to generate and rotate the password.

A company is building a cloud solution to analyze customer demographic data. The data includes personally identifiable information (PII) such as full names, street addresses, and financial records.
A developer is configuring a source Amazon DynamoDB table with a DynamoDB stream. The developer is writing an AWS Lambda function that will ingest the demographic data from the DynamoDB stream. perform analytics, and write results to a separate DynamoDB table. The application must log important AWS API workflow events for monitoring purposes, but the application must expose the PII.
Which combination of actions should the developer take to log the LARGEST amount of AWS API operational information without exposing the PII? (Choose two.)

A. Configure the DynamoDB stream to record KEYS_ONLY events.
B. Configure the DynamoDB stream to record NEW_IMAGE events.
C. Log the received event. Fetch the items from the source DynamoDB table. Log the response metadata from the API. Process and record the result in the separate DynamoDB table. Log the response metadata from the API.
D. Log the received event. Fetch the items from the source DynamoDB table. Log the response from the API. Process and record the result in the separate DynamoDB table. Log the response metadata from the API.
E. Fetch the items from the source DynamoDB table. Process the data and log workflow events without referring to the PII. Record the result in the separate DynamoDB table.

A developer is trying to determine which IAM user is calling several AWS APIs from an application.
Which service would provide this information?

A. AWS Config
B. AWS CloudTrail
C. Amazon CloudWatch
D. Amazon VPC Flow Logs

A company manages a microservices application on Amazon EC2 instances. A developer has integrated the AWS X-Ray SDK with the application. The developer also has an IAM role that is associated with the EC2 instances. The role includes the AWSXRayDaemonWriteAccess managed IAM policy.
When the developer queries the X-Ray traces by using the GetServiceGraph API operation, no errors and no trace data are returned.
What could be the reason that no X-Ray trace data is being returned? (Choose two.)

A. The X-Ray daemon is not installed on each EC2 instance.
B. The GetServiceGraph API operation is providing a StartTime value and an EndTime value that are older than 30 days.
C. X-Ray trace data is not available for querying for 30 minutes after it is captured.
D. The developer's IAM policy contains the AWSXRayReadOnlyAccess managed policy.
E. The GetServiceGraph API operation does not include an EndTime value.