A developer uses server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store data in Amazon S3. The developer needs to decrypt and download the encrypted objects by using the GetObject API call.
What is the LEAST amount of information that the developer must provide in the API call to meet this requirement?

A. The S3 object key only
B. The S3 object key and the encryption key
C. The S3 object key and the Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) key
D. The S3 object key and a randomly salted Hash-based Message Authentication Code (HMAC) value of the encryption key

A company is running its website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group. A developer needs to secure the internet-facing connection with HTTPS. The developer uses AWS Certificate Manager (ACM) to issue an X.509 certificate.
What should the developer do to secure the connection?

A. Configure the ALB to use the X.509 certificate by using the AWS Management Console.
B. Configure each EC2 instance to use the same X.509 certificate by using the AWS Management Console.
C. Export the root key of the X.509 certificate to an Amazon S3 bucket. Configure each EC2 instance to use the same X.509 certificate from the S3 bucket.
D. Export the root key of the X.509 certificate to an Amazon S3 bucket. Configure the ALB to use the X.509 certificate from the S3 bucket.

A developer deploys a custom application to three Amazon EC2 instances. The application processes messages from an Amazon Simple Queue Service (Amazon SQS) standard queue with default settings. When the developer runs a load test on the Amazon SQS queue, the developer discovers that the application processes many messages multiple times.
How can the developer ensure that the application processes each message exactly once?

A. Modify the SQS standard queue to an SQS FIFO queue.
B. Process the messages on one EC2 instance instead of three instances.
C. Create a new SQS FIFO queue. Point the application to the new queue.
D. Increase the DelaySeconds value on the current SQS queue.

A company has a new application. The company needs to secure sensitive configuration data such as database connection strings, application license codes, and API keys that the application uses to access external resources. The company must track access to the configuration data for auditing purposes. The resources are managed outside the application.
The company is not required to manage rotation of the connection strings, license codes, and API keys in the application. The company must implement a solution to securely store the configuration data and to give the application access to the configuration data. The solution must comply with security best practices.
Which solution will meet these requirements MOST cost-effectively?

A. Store the configuration data in an encrypted file on the source code bundle. Grant the application access by using IAM policies.
B. Store the configuration data in AWS Systems Manager Parameter Store. Grant the application access by using IAM policies.
C. Store the configuration data on an Amazon Elastic Block Store (Amazon EBS) encrypted volume. Attach the EBS volume to an Amazon EC2 instance to provide the application with access to the data.
D. Store the configuration data in AWS Secrets Manager. Grant the application access by using IAM policies.

A company hosts a client-side web application for one of its subsidiaries on Amazon S3. The web application can be accessed through Amazon CloudFront from https://www.example.com. After a successful rollout, the company wants to host three more client-side web applications for its remaining subsidiaries on three separate S3 buckets.
To achieve this goal, a developer moves all the common JavaScript files and web fonts to a central S3 bucket that serves the web applications. However, during testing, the developer notices that the browser blocks the JavaScript files and web fonts.
What should the developer do to prevent the browser from blocking the JavaScript files and web fonts?

A. Create four access points that allow access to the central S3 bucket. Assign an access point to each web application bucket.
B. Create a bucket policy that allows access to the central S3 bucket. Attach the bucket policy to the central S3 bucket.
C. Create a cross-origin resource sharing (CORS) configuration that allows access to the central S3 bucket. Add the CORS configuration to the central S3 bucket.
D. Create a Content-MD5 header that provides a message integrity check for the central S3 bucket. Insert the Content-MD5 header for each web application request.

A business intelligence application runs on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate.
Application-level audits require a searchable log of all API calls from users to the application. The application's developers must store the logs centrally on AWS.
Which solution will meet these requirements?

A. Install the Amazon CloudWatch agent on the Amazon EC2 host that runs Fargate.
B. Configure the awslogs log driver in the ECS task definition.
C. Configure AWS CloudTrail for the ECS containers.
D. Install the ECS logs collector on the ECS hosts.

A new mobile app uses Amazon Cognito web identity federation. Immediately after a user logs in, the following error occurs:
AccessDenied — Not authorized to perform sts:AssumeRoleWithWebIdentity
A developer determines that the Amazon Cognito configuration appears to be correct.
Which of the following could be the cause of the error?

A. The app's developer incorrectly defined the authenticated principal role access policy.
B. The app could not confirm the user in the user pool.
C. The app could not properly authenticate the user with the identity provider.
D. The app's developer incorrectly defined the authenticated principal role trust policy.

An application receives authenticated user data in the form of a JSON Web Token (JWT) from an Amazon Cognito user pool. A developer is setting up an Amazon API Gateway API to handle requests from the application and is using the token to verify the user's identity.
Which of the following must the developer validate before the user data can be trusted?

A. The token's nonce
B. The key ID in the token's header
C. The token's signature
D. The token's issuer claim

A developer is deploying a company's application to Amazon EC2 instances. The application generates gigabytes of data files each day. The files are rarely accessed, but the files must be available to the application's users within minutes of a request during the first year of storage. The company must retain the files for 7 years.
How can the developer implement the application to meet these requirements MOST cost-effectively?

A. Store the files in an Amazon S3 bucket Use the S3 Glacier Instant Retrieval storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Deep Archive storage class after 1 year.
B. Store the files in an Amazon S3 bucket. Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Flexible Retrieval storage class after 1 year.
C. Store the files on an Amazon Elastic Block Store (Amazon EBS) volume. Use Amazon Data Lifecycle Manager (Amazon DLM) to create snapshots of the EBS volumes and to store those snapshots in Amazon S3.
D. Store the files on an Amazon Elastic File System (Amazon EFS) mount. Configure EFS lifecycle management to transition the files to the EFS Standard-Infrequent Access (Standard-IA) storage class after 1 year.

A company must encrypt sensitive data that the company will store in Amazon S3. A developer must retain total control over the company's AWS Key Management Service (AWS KMS) key and the company's data keys. The company currently uses an on-premises hardware security module (HSM) solution. The company wants to move its key management onto AWS.
Which solution will meet these requirements?

A. Implement server-side encryption with AWS KMS managed keys (SSE-KMS). Use AWS CloudHSM to generate the KMS key and data keys to use with AWS KMS.
B. Implement server-side encryption with customer-provided encryption keys (SSE-C). Use AWS CloudHSM to generate the KMS key and manage the data keys that the company will use to read and write objects to Amazon S3.
C. Implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use AWS CloudHSM to generate the KMS key and manage the data keys that the company will use to read and write objects to Amazon S3.
D. Implement server-side encryption with AWS KMS managed keys (SSE-KMS). Use the AWS KMS custom key store feature to manage the data keys. Then read or write objects to Amazon S3 as normal.