A developer is testing a new file storage application that uses an Amazon CloudFront distribution to serve content from an Amazon S3 bucket. The distribution accesses the S3 bucket by using an origin access identity (OAI). The S3 bucket's permissions explicitly deny access to all other users.
The application prompts users to authenticate on a login page and then uses signed cookies to allow users to access their personal storage directories. The developer has configured the distribution to use its default cache behavior with restricted viewer access and has set the origin to point to the S3 bucket. However, when the developer tries to navigate to the login page, the developer receives a 403 Forbidden error.
The developer needs to implement a solution to allow unauthenticated access to the login page. The solution also must keep all private content secure.
Which solution will meet these requirements?

A. Add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior's settings unchanged.
B. Add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to *, and make viewer access restricted. Change the default cache behavior's path pattern to the path of the login page, and make viewer access unrestricted.
C. Add a second origin as a failover origin to the default cache behavior. Point the failover origin to the S3 bucket. Set the path pattern for the primary origin to * and make viewer access restricted. Set the path pattern for the failover origin to the path of the login page, and make viewer access unrestricted.
D. Add a bucket policy to the S3 bucket to allow read access. Set the resource on the policy to the Amazon Resource Name (ARN) of the login page object in the S3 bucket. Add a CloudFront function to the default cache behavior to redirect unauthorized requests to the login page's S3 URI.

A developer is creating an AWS Lambda function to process streaming data from an Amazon Kinesis data stream. When the Lambda function parses the data and encounters a malformed record from the stream, the Lambda function exits with an error.
The developer is observing duplicate records downstream from the function. When the developer uses a different client to examine the Kinesis data stream output, no duplicate records are visible in the stream.
What is the reason for the duplicate records?

A. The Lambda function did not advance the Kinesis data stream pointer to the next record after the error.
B. The Lambda event source used asynchronous invocation.
C. The Lambda function did not handle the error, and the Lambda service attempted to reprocess the data.
D. The Lambda function did not keep up with the amount of data that was coming from the Kinesis data stream.

A company's developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to the application by using federated credentials from a third-party identity provider (ldP) through Amazon Cognito.
The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.
To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application. The developer is denied access. The developer then updates their department to Sales in the IdP and attempts to log in. Again, the developer is denied access. The developer checks the logs and discovers that access is being denied because the developer's access token has a department value of Engineering.
Which of the following is a possible reason that the developer's department is still being reported as Engineering instead of Sales?

A. Authorization caching is enabled in the custom Lambda authorizer.
B. Authorization caching is enabled on the Amazon Cognito user pool.
C. The IAM role for the custom Lambda authorizer does not have a Department tag.
D. The IAM role for the Amazon Cognito user pool does not have a Department tag.

A government agency deploys a REST application on AWS. The agency integrates the application with AWS Lambda. The agency accesses the application through Amazon API Gateway. The agency has the following policies:
– Number versions to manage the deployment of all Lambda functions to production
– Create a PROD alias to point to each function
– Reference the PROD aliases in the production stages of API Gateway
One Lambda function contains the environment variables that are used to externalize connection parameters.
The PROD alias points to version 10 of the Lambda function. A developer needs to update the connection parameters and ensure that the updated Lambda function is available on production.
Which solution will meet these requirements?

A. Update the environment variable values on version 10 of the Lambda function. Do not change the PROD alias.
B. Update the environment variable values on version 10 of the Lambda function. Save the changes to create version 11. Update the PROD alias so that it points to version 11.
C. Update the environment variable values on the SLATEST version. Do not change the PROD alias
D. Update the environment variable values on the SLATEST version. Publish SLATEST to create version 11 of the Lambda function. Update the PROD alias so that it points to version 11.

A developer is deploying Amazon Cognito as part of a new application. The Amazon Cognito user pool domain's hosted UI must match the application's deployed domain. DNS records must be updated appropriately.
What should the developer do to meet these requirements?

A. Configure the application's domain DNS setting to use the predefined domain.
B. Configure the prefix of the Amazon Cognito domain, amazoncognito.com, in the user pool app integration. Configure the application's domain DNS setting to use this new prefix.
C. Create an AWS Certificate Manager (ACM) certificate in the us-east-1 Region. Configure the user pool's app integration domain name with the custom domain. Configure the application's domain DNS setting with the supplied alias target.
D. Create an AWS Certificate Manager (ACM) certificate in the us-east-1 Region. Configure the user pool's domain app client settings with the custom domain. Configure the application's domain DNS setting with the supplied alias target.

A Developer has been asked to make changes to the source code of an AWS Lambda function. The function is managed using an AWS CloudFormation template. The template is configured to load the source code from an Amazon S3 bucket. The Developer manually created a .ZIP file deployment package containing the changes and put the file into the correct location on Amazon S3. When the function is invoked, the code changes have not been applied.
What step is required to update the function with the changes?

A. Delete the .ZIP file on S3, and re-upload by using a different object key name.
B. Update the CloudFormation stack with the correct values for the function code properties S3Bucket, S3Key, or S3ObjectVersion.
C. Ensure that the function source code is base64-encoded before uploading the deployment package to S3.
D. Modify the execution role of the Lambda function to allow S3 access permission to the deployment package .ZIP file.

A developer has created a REST API using Amazon API Gateway. The developer wants to log who and how each caller accesses the API. The developer also wants to control how long the logs are kept.
What should the developer do to meet these requirements?

A. Enable API Gateway execution logging. Delete old logs using API Gateway retention settings.
B. Enable API Gateway access logs. Use Amazon CloudWatch retention settings to delete old logs.
C. Enable detailed Amazon CloudWatch metrics. Delete old logs with a recurring AWS Lambda function.
D. Create and use API Gateway usage plans. Delete old logs with a recurring AWS Lambda function.

A company is using AWS Elastic Beanstalk to manage web applications that are running on Amazon EC2 instances. A developer needs to make configuration changes. The developer must deploy the changes to new instances only.
Which types of deployment can the developer use to meet this requirement? (Choose two.)

A. All at once
B. Immutable
C. Rolling
D. Blue/green
E. Rolling with additional batch

A developer is creating a Java application that will store sensitive data in an Amazon DynamoDB table. The data must be encrypted at all times.
How can the developer meet this requirement?

A. Enable encryption at rest by using an AWS Key Management Service (AWS KMS) AWS owned key for the DynamoDB table.
B. Enable encryption at rest by using an AWS Key Management Service (AWS KMS) customer managed key for the DynamoDB table.
C. Implement client-side encryption in the application code by using the DynamoDB Encryption Client.
D. Use an HTTPS connection to encrypt data in transit.

A social media application stores millions of video clips in Amazon S3 and serves them to users across the world. The traffic to the application varies, but access often increases suddenly to more than 10,000 PUT requests and GET requests each second. As the application has grown in popularity, users report poor quality of video streaming.
Which solution will provide the LARGEST improvement in performance?

A. Create an Amazon Route 53 geolocation routing policy.
B. Duplicate content in multiple AWS Regions by using S3 Cross Region-Replication.
C. Use S3 Intelligent-Tiering to move data based on access patterns.
D. Create an Amazon CloudFront distribution with Amazon S3 as an origin.