A company uses an organization in AWS Organizations to manage 10 AWS accounts. All features are enabled, and trusted access for AWS CloudFormation is enabled. A DevOps engineer needs to use CloudFormation to deploy an IAM role to the Organizations management account and all ...

Reasoning for Selecting the Best Option: To deploy an IAM role across all accounts in an AWS Organization, the solution must minimize manual overhead, automate the process, and ensure consistency in deployment. Let’s evaluate each option: A) Create a CloudFormation StackSet that has service-managed permissions. Set the root OU as a deployment target. - Service-managed permissions mean AWS manages the CloudFormation StackSet permissions automatically across all accounts in the organization. This is the simplest and most automated approach for managing resources across multiple accounts. - The root organizational unit (OU) as a target will cover all accounts in the organization, including the management account and member accounts, without needing any manual intervention. - Operational overhead is minimal since StackSets with service-managed permissions allow AWS CloudFormation to automatically create the necessary IAM roles and other resources in each account. - Ideal for the scenario: This is the best option because it leverages AWS-managed permissions and the root OU ensures the deployment is propagated across all accounts in the organization. B) Create a CloudFormation StackSet that has service-managed permissions. Set the root OU as a deployment target. Deploy a separate CloudFormation stack in the Organizations management account. - This option requires deploying a separate stack in the management account in addition to the StackSet deployment. - This adds extra operational overhead and complexity because you must manage two deployments: one via StackSet and one manually in the management account. - Not ideal because it introduces unnec...

Author: Ethan · Last updated May 17, 2026

A company runs an application that stores artifacts in an Amazon S3 bucket. The application has a large user base. The application writes a high volume of objects to the S3 bucket. The company has enabled event notifications for the S3 bucket. When the application writes an object to the S3 bucket, several processing tasks need to be performed simultaneously. The company's DevOps team needs to create an AWS Step Function...

Reasoning for Selecting the Best Options: To meet the requirement of processing tasks concurrently with minimal operational overhead, we need to focus on automating the workflow triggered by new S3 object uploads and ensuring that the processing tasks are done efficiently. A) Create a Standard workflow that contains a parallel state that defines the processing tasks. Create an Asynchronous Express workflow that contains a parallel state that defines the processing tasks. - Standard workflows are designed for long-running workflows and are useful for complex workflows that require tracking and retries. However, they involve more operational overhead and higher costs for this scenario. - Asynchronous Express workflows are designed for workflows that need to handle a high volume of short-lived tasks and can be cost-effective for tasks that don't need long-running execution. - While both workflows can contain parallel states, the combination of Standard and Asynchronous Express workflows adds unnecessary complexity for processing tasks that can be done more efficiently with Express workflows alone. Moreover, having two separate workflows is redundant. - Not ideal because using only one efficient workflow (like an Express workflow) is sufficient for the high volume of tasks, and there is no need to combine them with a Standard workflow. B) Create a Synchronous Express workflow that contains a map state that defines the processing tasks. - Express workflows are designed for high-volume, short-duration tasks, which fits the requirement for processing high volumes of objects in the S3 bucket. - Map state is useful when tasks need to be executed for each item in a collection (like processing each uploaded object), making it ideal for orchestrating processing tasks for multiple objects at once. - Ideal option because...

Author: Manish · Last updated May 17, 2026

A DevOps team supports an application that runs in an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). Currently, the DevOps team uses AWS CodeDeploy to deploy the application by using a blue/green all-at-once strategy. Recently, the DevOps team had to roll back a deployment when a new version of the application dramatically increased response times for requests. The DevOps team needs use to a deployment strategy that will allow the team to monitor a new version of the application before the tea...

Reasoning for Selecting the Best Options: The goal is to ensure that the new version of the application is monitored before fully shifting all traffic, with the ability to roll back quickly if issues like increased response times occur. Let's evaluate the options based on the requirements. A) Modify the CodeDeploy deployment to use the CodeDeployDefault.ECSCanary10Percent5Minutes configuration. - ECS Canary deployment strategy gradually shifts traffic to the new version in small increments (10% every 5 minutes in this case), allowing the team to monitor the performance of the new version before fully switching over. - This strategy meets the requirement of allowing the DevOps team to monitor the new version before committing fully. The "canary" phase helps detect issues early by only sending a small portion of traffic to the new version, reducing risk. - Ideal option because it allows for gradual rollout with quick rollback capability if problems arise, without requiring an immediate, full-scale switch. B) Modify the CodeDeploy deployment to use the CodeDeployDefault.ECSLinear10PercentEvery3Minutes configuration. - Linear deployment strategy shifts traffic to the new version at a consistent rate (10% every 3 minutes), which could also allow monitoring of the new version in increments. - While this strategy does allow for gradual traffic shift, it is slightly more aggressive than the Canary deployment because the shift happens faster (10% every 3 minutes compared to 5 minutes in the canary). This might be less desirable if you want to detect issues in a very small subset of traffic before scaling. - Not ideal because it does not allow as slow a ramp-up as the canary strategy, which is typically preferred when you need to monitor a new version more conservatively. C) Create an Amazon CloudWatch alarm to monitor the UnHealthyHostCount metric for the ALB. Set the alarm to activate if the metric is higher than the desired value. Associate the alarm with the CodeDeploy deployment group. Modify the deployment group to roll back when a deployment fails. - UnHealthyHostCount indicates the number of unhealthy instances in the target group. However, unhealthy hosts may not necessarily correlate directly with response times or performance issues. If there is a problem with the application that causes slow respon...

Author: Zain · Last updated May 17, 2026

A security team must record the configuration of AWS resources, detect issues, and send notifications for findings. The main workload in the AWS account consists of an Amazon EC2 Auto Scaling group that scales in and out several times during the day. The team wants to be notified within 2 days if any Amazon EC2 security group allows traffic on port 22 for 0.0.0.0/0. The team also needs a snapshot of the configuration of the AWS reso...

Reasoning for Selecting the Best Solution: The goal is to identify if any EC2 security group allows traffic on port 22 (SSH) from 0.0.0.0/0, take regular snapshots of the AWS resource configurations, and send notifications for any findings. The solution should be easy to configure, ensure that the checks are performed routinely, and send notifications when necessary. A) Configure AWS Config to use periodic recording for the AWS account. Deploy the vpc-sg-port-restriction-check AWS Config managed rule. Configure AWS Config to use the SNS topic as the target for notifications. - AWS Config with periodic recording ensures that resource configurations are checked at regular intervals (e.g., every 24 hours). The vpc-sg-port-restriction-check rule specifically checks security groups to ensure that they do not allow unrestricted access on ports like 22. - This rule checks for security groups allowing access on port 22 from `0.0.0.0/0` and can notify via SNS when the rule finds violations. - Ideal option because it provides an automated, built-in solution for detecting the specific issue (open port 22), and periodic recording ensures regular checks are performed, as required by the security team. It is also easier to set up and requires less custom code. B) Configure AWS Config to use configuration change recording for the AWS account. Deploy the vpc-sg-open-only-to-authorized-ports AWS Config managed rule. Configure AWS Config to use the SNS topic as the target for notifications. - AWS Config with configuration change recording checks for configuration changes in resources as they occur, rather than at periodic intervals. While this is useful for detecting changes in security group configurations as they happen, the rule vpc-sg-open-only-to-authorized-ports is more general in nature and may not directly catch the specific issue of open port 22 access from `0.0.0.0/0`. - This rule looks for open ports but may not be as tightly focused on the specific issue mentioned (port 22 access). - Not ideal because it is less precise in detecting the required vulnerability (open SSH port from anywhere) compared to th...

Author: Alexander · Last updated May 17, 2026

A company has proprietary data available by using an Amazon CloudFront distribution. The company needs to ensure that the distribution is accessible by only users from the corporate office that have a known set of IP address ranges. An AWS WAF web ACL is associated with the distribution...

Reasoning for Selecting the Best Solution: The goal is to ensure that the Amazon CloudFront distribution is only accessible by users from the corporate office, based on a known set of IP address ranges, while minimizing operational overhead. The AWS WAF (Web Application Firewall) is already in place with the default action set to Count, but now we need to implement more restrictive rules to only allow traffic from specified IP address ranges. A) Create a new regex pattern set. Add the regex pattern set to a new rule group. Create a new web ACL that has a default action set to Block. Associate the web ACL with the CloudFront distribution. Add a rule that allows traffic based on the new rule group. - Regex pattern sets are generally used for matching patterns in request headers, body, or URI, not for matching IP addresses. While you could technically use regex for complex matching, this solution is not ideal because it introduces unnecessary complexity for this specific requirement, which is to restrict access based on known IP address ranges. IP matching can be done more efficiently using an IP address set. - This adds operational overhead by requiring the creation of a new rule group, regex patterns, and a completely new web ACL. This makes it more complicated than needed. B) Create an AWS WAF IP address set that matches the corporate office IP address range. Create a new web ACL that has a default action set to Allow. Associate the web ACL with the CloudFront distribution. Add a rule that allows traffic from the IP address set. - This option correctly uses AWS WAF's IP address set, which is the most straightforward and efficient method for restricting access based on known IP address ranges. - Setting the default action to Allow ensures that by default, all traffic is allowed unless explicitly blocked by the rule, and the rule itself specifically allows only traffic from the IP address set (the corporate office IP ranges). - Ideal option because it...

Author: Sofia · Last updated May 17, 2026

A company runs several applications in the same AWS account. The applications send logs to Amazon CloudWatch. A data analytics team needs to collect performance metrics and custom metrics from the applications. The analytics team needs to transform the metrics data before storing the data in an Amazon S3 bucket. The analytics team must automatically...

To evaluate the best option, let’s break down the requirements: 1. Automatic Collection of New Metrics: The solution needs to automatically collect any new metrics added to the CloudWatch namespace. This is key to ensuring that when new metrics are generated, they are handled without additional manual intervention. 2. Transform Metrics Data: The metrics must be transformed before they are stored in the Amazon S3 bucket. This requires the use of Lambda functions or similar services to process the data. 3. Metrics from Multiple Applications: The company has several applications, so the solution must be able to handle metrics across multiple CloudWatch namespaces. 4. Lowest Operational Overhead: The selected solution should be as automated as possible with minimal manual intervention required once it's set up. Analysis of Options: Option A: - CloudWatch Metric Stream to capture metrics. - The stream is delivered to Amazon Data Firehose, which invokes an AWS Lambda function to transform the data. - The transformed data is delivered to the S3 bucket. Pros: - Metric streams allow automatic collection of metrics, which is aligned with the requirement of collecting new metrics from CloudWatch namespaces. - Firehose is designed to handle streaming data, making it efficient for continuous delivery. - Lambda functions can handle transformations as needed. Cons: - Requires multiple services (Metric Stream, Data Firehose, Lambda, S3) and might need more configuration for the correct setup. Option B: - Similar to Option A but with the added step of configuring the metric stream to deliver all metrics. Pros: - Also collects metrics automatically, which satisfies the requirement for new metrics. - Data Firehose with Lambda can still handle the transformation and delivery to S3. Cons: - The distinction between this and Option A isn...

Author: Joseph · Last updated May 17, 2026

A company uses an HPC platform to run analysis jobs for data. The company uses AWS CodeBuild to create container images and store the images on Amazon Elastic Container Registry (Amazon ECR). The images are then deployed on Amazon Elastic Kubernetes Service (Amazon EKS). To maintain compliance, the company needs to ensure that the images are signed before the images are deployed on Amazon EKS. The signing keys must be rotated ...

To meet the compliance requirements, the company needs to ensure that images are signed before deployment, the signing keys are rotated automatically, and there is tracking for who generates the signatures. The solution must also require the least operational effort. Key Requirements: 1. Image Signing: The images must be signed before deployment to Amazon EKS. 2. Key Rotation: The signing keys must be rotated periodically and automatically. 3. Tracking: The identity of who generated the signatures must be tracked. 4. Operational Overhead: The solution should minimize manual intervention and maintenance. Analysis of Options: Option A: - CodeBuild retrieves the image from Amazon ECR and signs it using AWS Signer. - AWS CloudTrail is used to track who generates the signatures. Pros: - AWS Signer is a managed service designed specifically for signing container images, ensuring automatic key management and rotation. - AWS CloudTrail logs events for tracking who signed the images, which helps maintain auditability and compliance. Cons: - The process involves CodeBuild retrieving images, which introduces some extra steps. However, AWS Signer is well integrated with CodeBuild and would automate the signing process as part of the pipeline. Option B: - AWS Lambda retrieves the image from Amazon ECR and signs it via a Lambda function. - Amazon CloudWatch tracks who generates the signatures. Pros: - Lambda could provide automation, but it requires custom code to retrieve and sign the images. Cons: - Lambda lacks native integration with signing services (such as AWS Signer) for image signing, making it more error-prone and requiring manual maintenance of signing logic. - CloudWatch is used for tracking but is not as...

Author: Mia · Last updated May 17, 2026

A company uses an AWS CodeArtifact repository to store Python packages that the company developed internally. A DevOps engineer needs to use AWS CodeDeploy to deploy an application to an Amazon EC2 instance. The application uses a Python package that is stored in the CodeArtifact repository. A BeforeInstall lifecycle event hook will install the...

To meet the requirement of granting the EC2 instance access to the AWS CodeArtifact repository, the solution needs to ensure that the EC2 instance can access the Python packages stored in the repository during the deployment process via AWS CodeDeploy. Let’s evaluate each option based on key factors such as security, integration with AWS services, and operational simplicity. Key Requirements: 1. Grant EC2 Access to CodeArtifact: The EC2 instance needs to access the repository to install the Python package. 2. Security: The solution must ensure that access is granted in a secure and controlled manner. 3. Operational Simplicity: The solution should minimize manual intervention and configuration complexity. Analysis of Options: Option A: - Create a service-linked role for CodeArtifact. - Associate the role with the EC2 instance. - Use the aws codeartifact get-authorization-token CLI command on the instance. Pros: - The service-linked role allows AWS services to manage permissions securely. - The CLI command can retrieve an authorization token, which is needed to authenticate to the CodeArtifact repository. Cons: - A service-linked role is primarily designed for AWS services, not for individual EC2 instances. Associating it with an EC2 instance is not the most appropriate approach. - aws codeartifact get-authorization-token is a manual process that would need to be executed at runtime, adding complexity. Option B: - Configure a resource-based policy for the CodeArtifact repository that allows the ReadFromRepository action for the EC2 instance principal. Pros: - This option involves using a resource-based policy directly on the repository, which is a good practice for controlling access to AWS resources. - It can be effective for controlling access based on the EC2 instance principal (though it depends on the principal being correctly identified). Cons: -...

Author: Kai99 · Last updated May 17, 2026

A company has a file-reading application that saves files to a database that runs on Amazon EC2 instances. Regulations require the company to delete files from EC2 instances every day at a specific time. The company must delete database records that are older than 60 days. The database record deletion must occur after the file deletions. The company has created scripts to delete files and database record...

To meet the requirements with the least development effort, the solution needs to: 1. Run the deletion scripts in sequential order: First delete the files from EC2 instances and then delete the database records. 2. Send failure notifications: The company needs to be notified via email if any part of the process fails. 3. Be easy to manage: The solution should have minimal custom development and be easily configurable. Analysis of Options: Option A: - AWS Systems Manager State Manager to invoke a Systems Manager Automation document daily at a specified time. - The Automation document runs the deletion scripts using a run command in sequence. - Amazon EventBridge rule sends failure notifications using Amazon SNS. Pros: - Systems Manager State Manager and Automation documents are managed AWS services designed to handle scheduled tasks with minimal development. - EventBridge can easily trigger an SNS notification in case of failure. - Automation documents allow sequential execution of commands and can be configured with steps that handle failures. Cons: - Amazon SNS is a great notification service, but it may require an extra step to configure a subscription (email addresses, for example). Still, this is manageable and fits well within the low effort requirement. Option B: - AWS Systems Manager State Manager invokes a Systems Manager Automation document at a specified time. - The Automation document runs the deletion scripts and contains a conditional statement to check for errors. - Amazon SES is used to send failure notifications. Pros: - Amazon SES can send emails directly and might seem like a good option for email notifications. Cons: - While SES is effective, it introduces more complexity compared to using SNS, which is simpler to set up and integrate with EventBridge. Handling email configurat...

Author: Ethan · Last updated May 17, 2026

A company uses an organization in AWS Organizations that has all features enabled to manage its AWS accounts. Amazon EQ instances run in the AWS accounts. The company requires that all current EC2 instances must use Instance Metadata Service Version 2 (IMDSv2). The company needs to b...

To meet the requirement of ensuring all EC2 instances use Instance Metadata Service Version 2 (IMDSv2) and block API calls from EC2 instances that do not comply with this policy, the company can leverage Service Control Policies (SCPs) in AWS Organizations to enforce this across all accounts. Key Requirements: 1. Use IMDSv2: All EC2 instances must use IMDSv2. 2. Block API calls from EC2 instances that do not use IMDSv2. 3. SCP Enforcement: The policy should be managed at the organization level with SCPs. Analysis of Options: Option A: - Create a new SCP statement that denies ec2:RunInstances when the ec2:MetadataHttpTokens condition key is not equal to required. - Attach the SCP to the root of the organization. Pros: - The ec2:MetadataHttpTokens condition key specifically refers to IMDS settings. When set to required, it ensures that instances will use IMDSv2 (as IMDSv1 is only allowed when set to optional). - Denying ec2:RunInstances is appropriate because it will block the launch of any EC2 instances that do not use IMDSv2. Cons: - None. This option is well-targeted and directly addresses the requirement. Option B: - Create a new SCP statement that denies ec2:RunInstances when the ec2:MetadataHttpPutResponseHopLimit condition key value is greater than two. - Attach the SCP to the root of the organization. Pros: - This option does involve metadata settings, but it focuses on the HopLimit, which is a different setting used for controlling the maximum number of allowed network hops for metadata requests, not directly related to enforcing IMDSv2. Cons: - HopL...

Author: Aditya · Last updated May 17, 2026

A DevOps team supports an application that runs on a large number of Amazon EC2 instances in an Auto Scaling group. The DevOps team uses AWS CloudFormation to deploy the EC2 instances. The application recently experienced an issue. A single instance returned errors to a large percentage of requests. The EC2 instance responded as healthy to both Amazon EC2 and Elastic Load Balancing health checks. The DevOps team collects application logs in Amazon CloudWatch by using the embedded metric format. The...

Let's break down each of the options to find the most efficient way to meet the requirements with the least operational overhead. Option A: Create a CloudWatch Contributor Insights rule that groups logs from the CloudWatch application logs based on instance ID and errors. - Reasoning: CloudWatch Contributor Insights can group logs based on specific attributes, such as instance IDs and errors, and generate metrics to identify top contributors to errors. This could potentially help identify if a specific instance is responsible for more than half of the errors. - Pros: This option provides detailed insights into the contributors to errors without manually processing log data. - Cons: This approach still involves setting up Contributor Insights rules, and might be more complex than necessary for simply receiving alerts about errors. Option B: Create a resource group in AWS Resource Groups. Use the CloudFormation stack to group the resources for the application. Add the application to CloudWatch Application Insights. Use the resource group to identify the application. - Reasoning: CloudWatch Application Insights provides automatic detection of anomalies and issues within applications based on their resource group. - Pros: This option integrates with AWS management tools. - Cons: This is more geared toward applications with complex infrastructures and is better suited for detecting high-level issues like performance anomalies rather than detailed error detection for individual EC2 instances. It might not be the best fit for the specific goal of alerting on error contributions from a single EC2 instance. Option C: Create a metric filter for the application logs to count the occurrence of the term "Error." Create a CloudWatch alarm that uses the METRIC_COUNT function to determine whether errors have occurred. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic to notify the DevOps team. - Reasoning: A metric filter could be set up to count occurrences of the term "Error" in logs, and CloudWatch alarms can be created based on the metric count to notify the team when thresholds are exceeded. - Pros: This approach provides a relatively simple and effective method to count errors and trigger an alert when thresholds are met. - Cons: While the solution is straightforward, it doesn't directly address the scenario where a specific instance is responsible for more than half of all errors. It would require...

Author: Ethan Smith · Last updated May 17, 2026

A company is using AWS CloudFormation to perform deployments of its application environment. A deployment failed during a recent update to the existing CloudFormation stack. A DevOps engineer discovered that some resources in the stack were manually modified. The DevOps engineer needs a solution that detects manual modifi...

Let's analyze the available options and choose the one that meets the requirements with the least operational effort. Option A: - Reasoning: This option uses AWS Config's managed rule `CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK`, which checks if any CloudFormation-managed resources have drifted from their expected configuration. If drift is detected (i.e., manual modifications are made to the resources), it triggers an event. An EventBridge rule is then used to monitor the `NON_COMPLIANT` state and sends an alert through an SNS topic. - Pros: This solution is managed and requires minimal setup. AWS Config and CloudFormation Drift Detection are built to handle exactly this use case. The integration with SNS for notifications is straightforward and well-supported. - Cons: There is minimal downside to this solution since it is a well-integrated and automated approach, with minimal operational overhead. Option B: - Reasoning: This option involves tagging all CloudFormation resources with a specific tag and creating a custom AWS Config rule that checks whether any changes were made to resources not managed by CloudFormation (i.e., resources where the tag is modified manually). If the changes are detected, a notification is sent via an EventBridge rule that triggers a Lambda function. - Pros: Custom tagging and custom rules provide flexibility and can apply specific checks beyond drift detection. - Cons: This option requires additional manual setup, including tagging each CloudFormation resource, creating custom rules, and developing a Lambda function for sending notifications. It's more complex than necessary for the described use case and adds operational overhead in maintaining custom tags and functions. Option C: - Reasoning: This option also uses the ...

Author: Ethan · Last updated May 17, 2026

A DevOps engineer deployed multiple AWS accounts by using AWS Control Tower to support different business, technical, and administrative units in a company. A security team needs the DevOps engineer to automate AWS Control Tower guardrails for the company. The guardrails must be applied to all accounts in an OU of the company's organization in AWS Organizations. The security team needs a solution that has version control and can be reviewed and rolled back if necessary. The security team will maintain the management of the solution in i...

Let’s evaluate each of the options to determine which best meets the requirements with the least operational overhead. Option A: - Description: Create individual AWS CloudFormation templates that align to a guardrail. Store the templates in an AWS CodeCommit repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each OU in the organization. Configure an AWS CodeBuild project that an Amazon EventBridge rule will invoke for the security team's AWS CodeCommit changes. - Pros: - AWS CodeCommit offers version control, allowing for code changes to be reviewed and rolled back as needed. - CodeBuild is used for continuous integration and deployment. - CloudFormation allows for infrastructure-as-code, making the guardrails replicable across multiple accounts in the organization. - Cons: - Requires configuring an EventBridge rule to trigger the CodeBuild project, which introduces additional complexity. - While the solution provides version control, the operational overhead could increase by managing the CodeBuild project and EventBridge rule. Option B: - Description: Create individual AWS CloudFormation templates that align to a guardrail. Store the templates in an AWS CodeCommit repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each account in the organization. Configure an AWS CodePipeline pipeline in the security team's account. Advise the security team to invoke the pipeline and provide these parameters when starting the pipeline. - Pros: - Using CodePipeline allows for version-controlled deployment and review of the guardrails. - The security team controls when the pipeline is triggered. - Cons: - This option requires manual intervention to start the pipeline for each account, which could increase the operational overhead. - Managing individual pipelines per account isn’t ideal for large-scale environments with multiple accounts. Option C: - Description: Create individual AWS CloudFormation templates that align to a guardrail. Store the templates in an AWS CodeCommit repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each OU in the organization. Configure an AWS...

Author: Vivaan · Last updated May 17, 2026

A company runs a web application on Amazon Elastic Kubernetes Service (Amazon EKS). The company uses Amazon CloudFront to distribute the application. The company recently enabled AWS WAF. The company set up Amazon CloudWatch Logs to send logs to an aws-waf-logs log group. The company wants a DevOps engineer to receive alerts if there are sudden changes in blocked traffic. The company does not want to receive alerts for other changes in AWS WAF log behavior. The company wil...

Let's analyze each option to identify the best solution for alerting the DevOps engineer about sudden changes in blocked traffic while ignoring other changes in AWS WAF log behavior. Option A: Create a CloudWatch Logs metrics filter for blocked requests on the AWS WAF log group to create a custom metric. Create a CloudWatch alarm by using CloudWatch anomaly detection and the published custom metric. Configure the alarm to notify the SNS topic to alert the DevOps engineer. - Reasoning: This option is a good fit because it creates a custom metric specifically for blocked requests. Using CloudWatch anomaly detection on the custom metric allows you to detect sudden, abnormal changes in the blocked traffic without triggering alerts for other AWS WAF log behaviors. By configuring an alarm to notify the SNS topic, the DevOps engineer can be alerted for sudden spikes in blocked requests. - Selected: This is the most appropriate solution because it focuses on detecting changes in blocked traffic using a custom metric, aligning perfectly with the company's requirements. Option B: Create a CloudWatch anomaly detector for the log group. Create a CloudWatch alarm by using metrics that the CloudWatch anomaly detector publishes. Use the high setting for the LogAnomalyPriority metric. Configure the alarm to go into alarm state if a static threshold of one anomaly is detected. Configure the alarm to notify the SNS topic to alert the DevOps engineer. - Reasoning: CloudWatch anomaly detection for the log group can detect anomalies, but it doesn't specifically target the behavior of blocked requests. Using the high setting for the anomaly priority metric may lead to a broad detection of all types of anomalies across the logs, which could result in receiving alerts for non-blocked traffic changes as well. This could lead to unnecessary noise in the alerts. - Rejected: While anomaly detection can identify sudden changes, it may not be precise enough to isolate blocked request anomalies specifically, and it could trigger alerts for other log behavior changes. Option C: Create a CloudWatch metrics filter for counted requests on the AWS WAF log group to create a custom metric. Create a CloudWatch alarm that activates ...

Author: FrostFalcon88 · Last updated May 17, 2026

A video platform company is migrating its video catalog to AWS. The company will host MP4 videos files in an Amazon S3 bucket. The company will use Amazon CloudFront and Amazon EC2 instances to serve the video files. Users first connect to a frontend application that redirects to a video URL. The video URL contains an authorization token in CloudFront. The cache is activated on the CloudFront distribution. Authorization token check activity needs to be logged in Amazon CloudWatch. The company wants to prevent direct access to video files on CloudFront and Amazon S3 and wants to implement checks of ...

Let’s evaluate each of the provided options based on the requirements and operational efficiency. Option A: - Description: Implement an authorization token check in Lambda@Edge as a trigger on the CloudFront distribution. Enable CloudWatch logging for the Lambda@Edge function. Attach the Lambda@Edge function to the CloudFront distribution. Implement CloudFront continuous deployment to perform updates. - Pros: - Lambda@Edge allows for custom logic to be executed at CloudFront edge locations, which helps in validating the authorization token. - CloudWatch logging provides a way to capture the authorization token check activity. - Continuous deployment in CloudFront allows for regular updates without significant downtime, making the solution scalable and easy to manage. - Cons: - Lambda@Edge adds a bit of operational complexity, especially when updating the code, as changes require deployment to multiple edge locations. - However, this can be managed with continuous deployment, making it not overly burdensome. This solution is highly efficient for performing authorization checks and logging activity, especially since the logic is close to the CloudFront edge, reducing latency. Option B: - Description: Implement an authorization token check in CloudFront Functions. Enable CloudWatch logging for the CloudFront function. Attach the CloudFront function to the CloudFront distribution. Implement CloudFront continuous deployment to perform updates. - Pros: - CloudFront Functions is a lightweight and cost-effective way to run small amounts of code at CloudFront edge locations, making it well-suited for token validation. - CloudWatch logging for CloudFront Functions captures the necessary logs for the authorization token check activity. - The continuous deployment for CloudFront works well for regular code updates. - Cons: - CloudFront Functions are limited in the complexity of the code they can execute. If the authorization logic is simple, this could be ideal. However, for more complex logic, Lambda@Edge might be more appropriate. CloudFront Functions are typically the best fit for lightweight, low-latency tasks like token validation and are well-suited for this use case, offering simplicity and efficiency. Option C: - Description: Implement an authorization token check in the application code installed on EC2 instances. Install the CloudWatch agent on the EC2 instances. Configure the application to log to...

Author: Evelyn · Last updated May 17, 2026

A company uses an organization in AWS Organizations to manage multiple AWS accounts in a hierarchical structure. An SCP that is associated with the organization root allows IAM users to be created. A DevOps team must be able to create IAM users with any level of permissions. Developers must also be able to create IAM users. However, developers must not be able to grant new IAM users excessive permissions. The developers have the Crea...

Let's break down each option and analyze which ones best meet the requirements. Option A: Create an SCP in the organization to deny users the ability to create and modify IAM users. Attach the SCP to the root of the organization. Attach the CreateAndManageUsers role to developers. - Analysis: This option would effectively prevent anyone from creating or modifying IAM users across the entire organization. However, this contradicts the requirement that developers should be able to create IAM users. The DevOps team must be able to prevent other users from creating IAM users, but they must still allow developers to do so. Thus, attaching this SCP to the organization root would block developers from creating IAM users, which doesn't meet the requirements. - Rejected because it would prevent developers from creating IAM users, which contradicts the requirements. Option B: Create an SCP in the organization to grant users that have the DeveloperBoundary policy attached the ability to create new IAM users and to modify IAM users. Configure the SCP to require users to attach the PermissionBoundaries policy to any new IAM user. Attach the SCP to the root of the organization. - Analysis: This option allows developers to create and modify IAM users as long as they have the DeveloperBoundary policy attached. However, the PermissionBoundaries policy is required for the developers when creating IAM users. This option appears to allow the creation of IAM users within boundaries but doesn't fully explain how the DevOps team can prevent others from creating IAM users or how this interacts with the DevOps team's role. Additionally, the explanation doesn't cover the other necessary permissions required for DevOps users to manage IAM users. - Rejected because while it provides a policy mechanism, it doesn't fully address the control over IAM users in a way that ensures DevOps can block others from creating IAM users. Option C: Create an IAM permissions policy named PermissionBoundaries within each account. Configure the PermissionBoundaries policy to specify the maximum permissions that a developer can grant to a new IAM user. - Analysis: This policy would help limit the permissions granted by developers when they create new IAM users, but it doesn't directly address the ability to create IAM ...

Author: Emma · Last updated May 17, 2026

A company has deployed a landing zone that has a well-defined AWS Organizations structure and an SCP. The company's development team can create their AWS resources only by using AWS CloudFormation and the AWS Cloud Development Kit (AWS CDK). A DevOps engineer notices that Amazon Simple Queue Service (Amazon SQS) queues that are deployed in different CloudFormation stacks have different configurations. The DevOps engineer also notices that the application cost allocation tag is not always set. The DevOps engineer ne...

Let's analyze each option based on the requirements: enforcing tagging, promoting code reuse, and avoiding different configurations for deployed SQS queues. Option A: Create an Organizations tag policy to enforce the cost allocation tag in CloudFormation stacks. Instruct the development team to use CloudFormation to define SQS queues. Instruct the development team to deploy the SQS queues by using CloudFormation StackSets. - Analysis: This option ensures that cost allocation tags are enforced across CloudFormation stacks using an AWS Organizations tag policy, which is a good approach to enforce tagging across the organization. However, the suggestion of using CloudFormation StackSets does not directly solve the issue of avoiding different configurations for SQS queues across different stacks. The use of CloudFormation would allow for resource creation, but it doesn’t inherently solve the problem of ensuring the same configuration across stacks or promote code reuse in the context of SQS queues. - Rejected because StackSets are more for deploying the same stack across multiple regions or accounts, but do not inherently enforce uniform resource configurations or code reuse. Option B: Update the SCP to enforce the cost allocation tag in CloudFormation stacks. Instruct the development team to use CloudFormation modules to define SQS queues. Instruct the development team to deploy the SQS queues by using CloudFormation stacks. - Analysis: An SCP cannot directly enforce tagging; it is used to manage permissions. The SCP is primarily for access control, and although it could enforce who is allowed to create resources, it does not enforce tagging or resource configuration itself. The use of CloudFormation modules for defining SQS queues could promote code reuse, but it does not directly address the cost allocation tagging issue and could still result in different configurations across stacks. - Rejected because the SCP cannot enforce tagging and does not solve the configur...

Author: Sophia Clark · Last updated May 17, 2026

A DevOps team manages a company's AWS account. The company wants to ensure that specific AWS resource configuration changes are automatic...

Let's analyze each option and determine which one best meets the requirement to automatically revert specific AWS resource configuration changes. Option A: Use AWS Config rules to detect changes in resource configurations. Configure remediation action that uses AWS Systems Manager Automation documents to revert the configuration changes. - Analysis: AWS Config is a service designed specifically to monitor and assess resource configurations against predefined rules. By using AWS Config rules, you can automatically detect when configurations deviate from the desired state. When a non-compliant change is detected, you can trigger a remediation action that can automatically revert the change, using AWS Systems Manager Automation documents. This solution fits perfectly for automatically reverting configuration changes because it ensures that resources are continuously monitored and corrected in real-time without manual intervention. - Selected because it directly meets the requirement of automatically reverting configuration changes using an automated process. Option B: Use Amazon CloudWatch alarms to monitor resource metrics. When an alarm is activated, use an Amazon Simple Notification Service (Amazon SNS) topic to notify an administrator to manually revert the configuration changes. - Analysis: Amazon CloudWatch is useful for monitoring metrics related to resource performance, but it is not designed for directly monitoring configuration changes. Although you could set up alarms to notify administrators when a resource metric exceeds a threshold, this option requires manual intervention for reverting changes. Since the requirement is to automatically revert configuration changes, rely...

Author: BlazingPhoenix22 · Last updated May 17, 2026

Which functionality does Amazon SageMaker Clarify provide?

Amazon SageMaker Clarify is primarily focused on providing transparency and fairness in machine learning (ML) models. To determine which functionality it provides, let’s break down each option: --- A) Integrates a Retrieval Augmented Generation (RAG) workflow Rejected Why: RAG workflows combine language models with retrieval systems to enhance question-answering or generation tasks. This functionality is part of natural language processing solutions or tools like Amazon Bedrock or LangChain integrations—not Clarify. Scenario where A is useful: Building a chatbot or question-answering system that fetches documents in real time before generating a response. --- B) Monitors the quality of ML models in production Rejected Why: Monitoring quality in production (e.g., drift detection, performance metrics) is part of Amazon SageMaker Model Monitor, not Clarify. Clarify is used during development for bias and explainability checks. Scenario where B is u...

Author: ShadowWolf101 · Last updated May 7, 2026

A student at a university is copying content from generative AI to write essays. Which challenge of responsi...

This scenario best represents the challenge of C) Plagiarism. Selected Option: C) Plagiarism Explanation: Plagiarism involves presenting someone else’s work or ideas as your own without proper attribution. In this case, the student is copying content generated by AI and submitting it as their original work. This directly violates academic integrity policies and is a clear case of plagiarism, even though the source is an AI rather than a human. Universities generally expect students to create and cite their own work. The use of generative AI without proper attribution or critical engagement undermines the learning process and ethical standards. Rejected Options: A) Toxicity: Toxicity refers to harmful, offensive, or inappropriate language generated by AI. This challenge is concerned with AI outputs that include hate speech, bias, or harassment. This option would be relevant if the student's essay included toxic language due to the AI's output, but that is not the issue here. Scenario where ...

Author: Samuel · Last updated May 7, 2026

A company manually reviews all submitted resumes in PDF format. As the company grows, the company expects the volume of resumes to exceed the company's review capacity. The company needs an automated system to convert the PDF re...

To automate the extraction of text from PDF resumes, the key requirement is a service that can accurately extract structured or unstructured text from documents, particularly PDFs. Let's evaluate each AWS service option against this requirement: --- 🔹 A) Amazon Textract Use Case: Extracts text, tables, and forms from scanned documents and PDFs using OCR (Optical Character Recognition). Why it's suitable: Designed for document text extraction, including PDFs, scanned forms, and resumes. Handles structured and unstructured data, which is crucial for resumes that come in various formats. Returns plain text and structured data (useful for downstream processing like candidate filtering). ✅ Meets the requirement exactly. --- 🔹 B) Amazon Personalize Use Case: Builds real-time personalized recommendations for users (like recommending products, movies, or content). Why it's no...

Author: Emma · Last updated May 7, 2026

A company has fine-tuned a large language model (LLM) to answer questions for a help desk. The company wants to determine if the fine-tuning has enhanced the model...

To determine if fine-tuning has enhanced the model's accuracy in a help desk question-answering setting, the company should use a metric that evaluates both correctness and completeness of answers — especially when the task is about providing accurate responses to user queries. Let’s evaluate each option based on relevance to measuring accuracy, and where each metric is typically useful: --- A) Precision What it measures: The proportion of relevant (correct) responses out of all responses the model labeled as correct. When it's useful: In tasks where false positives (incorrect answers marked as correct) are costly — e.g., legal or medical document classification. Why it's rejected: Precision alone doesn’t capture how many correct answers were missed (false negatives), which is important when evaluating overall answer quality. It's not a full picture of accuracy in a QA context. --- B) Time to first token What it measures: The latency from prompt submission to the generation of the first token. When it's useful: In real-time or user-facing applications where speed of response is important — e.g., chatbot responsiveness. Why it's rejected: This measures efficiency, not accuracy. Faster answers are not necessarily better or more accurate. --- ...

Author: Daniel · Last updated May 7, 2026

A company is developing an ML model to predict customer churn. The model performs well on the training dataset but does not accurately predict ...

The issue described is that the model performs well on the training dataset but does not generalize to new data. This is a classic case of overfitting, where the model has learned the training data too well (including noise or irrelevant patterns), and fails to generalize. Let's evaluate each option based on this understanding: --- A) Decrease the regularization parameter to increase model complexity Rejected Decreasing regularization will make the model more complex, which tends to increase overfitting. Since the model is already overfitting (good training accuracy, poor generalization), increasing complexity will likely worsen the problem. Use case: This might be used when a model is underfitting (poor training and testing performance). --- B) Increase the regularization parameter to decrease model complexity Accepted Increasing regularization simplifies the model by penalizing large weights, which helps reduce overfitting. It encourages the model to generalize better by focusing on more robust patterns instead of memorizing training data. Use case: B...

Author: StarryEagle42 · Last updated May 7, 2026

HOTSPOT - A company wants to build an ML application. Select and order the correct steps from the following list to develop a well-ar...

Author: Alexander · Last updated May 7, 2026

Which strategy will determine if a foundation model (FM) effectively meets business objectives?

To determine if a foundation model (FM) effectively meets business objectives, the most appropriate strategy is: --- ✅ C) Assess the model's alignment with specific use cases Reasoning: This option directly ties the FM's capabilities to real-world business needs, which is crucial for determining effectiveness. Business objectives are context-specific—they vary based on industry, product, customers, and operational goals. For example: A customer support chatbot must handle domain-specific queries, not just generic conversations. A fraud detection model must minimize false positives/negatives based on actual transaction data patterns. By assessing alignment with specific use cases, stakeholders can evaluate whether the model performs in a way that adds value, such as improving efficiency, reducing cost, increasing revenue, or enhancing customer satisfaction. --- ❌ Why the other options are rejected: A) Evaluate the model's performance on benchmark datasets Benchmarks (e.g., GLUE, SuperGLUE, MMLU) test general performance, but they don’t reflect business-specific tasks or domain nuances. ...

Author: BlazingPhoenix22 · Last updated May 7, 2026

HOTSPOT - A company has developed a large language model (LLM) and wants to make the LLM available to multiple internal teams. The company needs to select the appropriate inference mode for each team. Select the correct inference mo...

Author: Ava · Last updated May 7, 2026

A company needs to log all requests made to its Amazon Bedrock API. The company must retain the logs securely for 5 years at the lowest possible cost. Which combinatio...

Let's analyze the options carefully based on the requirement: log all requests to Amazon Bedrock API, retain securely for 5 years, and at the lowest possible cost. --- Step 1: Logging the requests A) AWS CloudTrail Key factor: CloudTrail records API calls made on AWS services, including Bedrock API calls. Advantage: It provides a comprehensive audit trail of all requests, including identity, time, parameters, and response. Scenario: Ideal for logging API activity across AWS services. Verdict: Correct choice for capturing logs. B) Amazon CloudWatch Key factor: CloudWatch primarily collects operational metrics, logs, and events from AWS resources. Limitation: It collects logs generated by applications or AWS services but does not automatically log API requests across AWS like CloudTrail. Scenario: Useful for monitoring and alerting but not for capturing API request history comprehensively. Verdict: Not ideal for logging API calls. C) AWS Audit Manager Key factor: AWS Audit Manager helps automate evidence collection for audits but is not a logging service. Scenario: It builds reports from logs and data but does not itself collect API request logs. Verdict: Not for capturing logs, but useful for compliance. --- Step 2: Storing the logs securely for 5 years at lowest cost D) Amazon S3 ...

Author: IceDragon2023 · Last updated May 7, 2026

An ecommerce company wants to improve search engine recommendations by customizing the results for each user of the company's ecommerc...

Let's analyze each AWS service option to determine which best fits the ecommerce company’s need to improve search engine recommendations by customizing results for each user. --- A) Amazon Personalize Purpose: Provides machine learning-based personalization and recommendation capabilities. It helps deliver real-time personalized product and content recommendations. Key factors: Designed specifically for personalization use cases. Can ingest user interaction data (clicks, purchases, ratings) to train models. Outputs tailored recommendations for each user. Scenario: Best suited for ecommerce platforms needing personalized product recommendations, dynamic user-specific content, and improved search result customization. --- B) Amazon Kendra Purpose: An intelligent search service powered by machine learning to provide natural language search across internal documents or knowledge bases. Key factors: Focused on improving search accuracy in enterprise documents, FAQs, or internal data. Not specialized for ecommerce personalization or user behavior-driven recommendations. Scenario: Best used for enterprise document search or knowledge management, rather than user-specific product recommendations. --- C) Amazon Re...

Author: Liam · Last updated May 7, 2026

A hospital is developing an AI system to assist doctors in diagnosing diseases based on patient records and medical images. To comply with regulations, the sensitive patient data must not leave the country the data is lo...

Let's analyze each option carefully based on the requirement: Ensure sensitive patient data does not leave the country to comply with regulations and protect patient privacy. --- A) Data residency Key factor: Data residency refers to the physical or geographic location where data is stored and processed. Advantage: Enforces that data stays within specified country borders, meeting legal and regulatory requirements for sensitive data like patient records. Scenario: Essential when laws mandate that data must remain in the country (e.g., GDPR, HIPAA-related regional laws). Verdict: Correct choice because it directly addresses where data is stored and processed, ensuring compliance. --- B) Data quality Key factor: Focuses on the accuracy, completeness, and reliability of data. Advantage: Improves trustworthiness of data for decision-making. Scenario: Important for ensuring AI models get accurate input but does not address geographic or privacy regulations. Verdict: Not relevant for ensuring data...

Author: Carlos Garcia · Last updated May 7, 2026

A company needs to monitor the performance of its ML systems by using a highly scalable AWS service. ...

Let's analyze each option based on the requirement: monitoring the performance of ML systems in a highly scalable way on AWS. --- A) Amazon CloudWatch Purpose: CloudWatch is designed for monitoring AWS resources and applications in real-time. Key features: Collects and tracks metrics, collects and monitors log files, sets alarms. Provides dashboards to visualize performance data. Scales automatically to handle high data volume from multiple services. Use case for ML systems: CloudWatch can monitor ML system metrics such as latency, error rates, throughput, CPU/GPU usage, memory consumption, and custom application metrics. It helps in proactive alerting and real-time monitoring of deployed models and infrastructure. Why suitable? Directly built for performance monitoring with real-time metrics collection and alerting capabilities, and it scales seamlessly. --- B) AWS CloudTrail Purpose: CloudTrail records API calls made on your account, providing governance, compliance, and operational auditing. Key features: Tracks user and service activity. Useful for security auditing and compliance, but not performance monitoring. Why rejected? CloudTrail focuses on auditing and logging of API calls, not system or application performance metrics. It is not designed for real-time performance monitoring or metric collection. --- C) AWS Trusted Advisor ...

Author: Samuel · Last updated May 7, 2026

An AI practitioner is developing a prompt for an Amazon Titan model. The model is hosted on Amazon Bedrock. The AI practitioner is using the model to solve numerical reasoning challenges. The AI practitioner adds the following phrase to the end of the prompt: 'Ask the model to sho...

Let's analyze the prompt phrase and the options carefully: The phrase added: “Ask the model to show its work by explaining its reasoning step by step.” This phrase instructs the model to articulate its reasoning process explicitly, guiding it to break down its answer into a sequence of logical steps. --- Option A: Chain-of-thought prompting What it is: Chain-of-thought prompting encourages the model to generate intermediate reasoning steps before producing the final answer. It is used to improve performance on complex tasks like numerical reasoning or logic puzzles. Why it fits: The phrase explicitly asks the model to "show its work" and "explain reasoning step by step," which directly aligns with the chain-of-thought technique. This technique helps the model produce a transparent, stepwise explanation, improving accuracy on complex tasks. --- Option B: Prompt injection What it is: Prompt injection is a security or adversarial concept where a user tries to manipulate the model by inserting malicious or misleading instructions into the prompt to change the model's behavior undesirably. Why it is rejected: The phrase is a legitimate instruction to improve reasoning clarity, not an attempt to subvert or hijack the model. The practitioner is intentionally adding a helpful instruction, not injecting malicious code. --- Option C: Few-shot prompting What it is: Few-shot prompting involves providing the model with a few examples (input-output pairs) within the prompt so it can learn the pattern and generate better responses. Why it is rejected: Ther...

Author: Nathan · Last updated May 7, 2026

Which AWS service makes foundation models (FMs) available to help users build and scale generative A...

Let's analyze each AWS service option in the context of making foundation models (FMs) available to help users build and scale generative AI applications: --- A) Amazon Q Developer What it is: Amazon Q is not a well-known or established AWS service related to generative AI or foundation models as of now. Reason to reject: This option doesn't exist or is not relevant in the context of foundation models or generative AI. Scenario use: N/A. --- B) Amazon Bedrock What it is: Amazon Bedrock is an AWS service specifically designed to provide access to foundation models from multiple AI model providers (such as AI21 Labs, Anthropic, and Stability AI). It allows developers to build and scale generative AI applications without managing the underlying infrastructure. Why select: It enables users to easily integrate various foundation models for tasks such as text generation, summarization, chatbots, and more. It abstracts the complexity of model hosting and scaling. Scenario use: Best suited when you want a managed service that offers access to multiple foundation models (FMs) to build scalable generative AI apps quickly. --- C) Amazon Kendra What it is: Amazon Kendra is an intelligent enterprise search service powered by machine learning. Reason to reject: Kendra is specialized in search and information retrieval, not building or hosting foundation models or generative AI applications. Scenario use: ...

Author: Noah · Last updated May 7, 2026

A company is building a mobile app for users who have a visual impairment. The app must be able to hear what users say and provide voice...

Let's analyze each option in the context of the requirements: Requirements Recap: The app must hear what users say (i.e., speech recognition). The app must provide voice responses (i.e., text-to-speech or voice generation). The app is targeted at users with visual impairment, so audio input/output is crucial. --- Option A: Use a deep learning neural network to perform speech recognition. Relevance: This directly addresses the need to hear what users say by converting spoken language into text. Key Factor: Speech recognition systems often rely on deep learning neural networks. Voice responses: Once the app converts speech to text, it can generate voice responses (using text-to-speech systems). Scenario Fit: Perfect for apps requiring real-time speech input and understanding. Conclusion: This option fits perfectly for speech-to-text functionality required for hearing user speech. --- Option B: Build ML models to search for patterns in numeric data. Relevance: Numeric data pattern recognition is unrelated to speech or voice interaction. Key Factor: This option is suited for data analysis, forecasting, or anomaly detection in structured data. Scenario Fit: Useful in finance, sensor data analysis, etc., but irrelevant to hearing and responding with voice. Conclusion: Not suitable for speech or voice interaction. --- Option C:...

Author: ElectricLionX · Last updated May 7, 2026

A company wants to enhance response quality for a large language model (LLM) for complex problem-solving tasks. The tasks require detailed reasoning and a step-by-step explanat...

To enhance response quality for complex problem-solving tasks requiring detailed reasoning and step-by-step explanation, let's analyze each prompt engineering technique: --- A) Few-shot prompting Description: Provides the model with a few examples of input-output pairs before asking it to perform a similar task. Pros: Helps guide the model by example, improving performance on similar tasks. Cons: While few-shot can improve quality, it doesn't inherently instruct the model to reason step-by-step or provide detailed explanations unless the examples explicitly show that. Use case: Useful when you want the model to mimic a style or format, or when solving problems similar to the examples provided. Reason for rejection: It doesn't explicitly encourage or enforce a stepwise reasoning process, so it may not consistently produce detailed step-by-step explanations. --- B) Zero-shot prompting Description: The model is given only the instruction or question without examples. Pros: Simple, requires no example preparation. Cons: Without examples or explicit instructions, the model may give short or incomplete answers lacking detailed reasoning. Use case: Best for straightforward questions or tasks that don’t need extensive reasoning or explanation. Reason for rejection: Doesn't ensure detailed reasoning or step-by-step explanation for complex problems, so quality is less consistent. --- C) Directional stimulus prompting Description: A less common ...

Author: Kai99 · Last updated May 7, 2026

A company wants to keep its foundation model (FM) relevant by using the most recent data. The company wants to implement a model training strategy that includes ...

Let's analyze each option based on the company's goal: keeping its foundation model (FM) relevant by using the most recent data and implementing regular updates. --- A) Batch Learning Description: The model is trained on a fixed dataset in discrete batches. When new data arrives, a new batch is created, and the model is retrained or fine-tuned from scratch or partially on this batch. Pros: Simple and well-understood method. Can incorporate recent data during each retraining cycle. Cons: Retraining from scratch or even fine-tuning on batches can be computationally expensive and slow. Does not allow for continuous updating or real-time adaptation. Best Scenario: When updates can be done periodically (e.g., weekly, monthly) and there’s no need for real-time adaptation. Suitable for environments where data grows in discrete chunks. --- B) Continuous Pre-training Description: The foundation model undergoes ongoing training on new data as it becomes available, without starting from scratch each time. Often implemented with streaming or incremental learning techniques, allowing the model to continuously adapt. Pros: Enables the model to stay up-to-date with the latest data. Efficient use of resources by building on the existing model state. Reduces the time lag between data acquisition and model update. Cons: Requires careful handling to avoid catastrophic forgetting (losing previously learned knowledge). Needs robust infrastructure for continuous data ingestion and model updates. Best Scenario: When the company needs the model to be updated frequently or in near real-time with recent data. Ideal for large-scale systems where continuo...

Author: Ishaan · Last updated May 7, 2026

HOTSPOT - A company wants to develop ML applications to improve business operations and efficiency. Select the correct ML paradigm from the following list fo...

Author: Jack · Last updated May 7, 2026

Which option is a characteristic of AI governance frameworks for building trust and deploying human-...

Let's analyze each option carefully, focusing on AI governance frameworks aimed at building trust and deploying human-centered AI technologies. Key factors here are trust, human-centeredness, governance, transparency, responsibility, and compliance. --- A) Expanding initiatives across business units to create long-term business value Reasoning: This option emphasizes scaling AI initiatives for business growth and value creation. While important for organizational success, it focuses more on business expansion and value rather than governance or trust-building. Rejection: It is more about business strategy than governance. AI governance frameworks emphasize controls and ethical guidelines, not just expansion. --- B) Ensuring alignment with business standards, revenue goals, and stakeholder expectations Reasoning: This option addresses aligning AI projects with business goals and stakeholder needs. Alignment is important for adoption and support, but it leans toward business priorities and performance, not specifically on trust or responsible AI governance. Rejection: Though alignment matters, it doesn’t cover human-centered principles or ethical frameworks needed to build trust in AI systems. --- C) Overcoming challenges to drive business transformation and growth...

Author: Ishaan · Last updated May 7, 2026

An ecommerce company is using a generative AI chatbot to respond to customer inquiries. The company wants to measure the financial effect of the chatbot o...

Let's analyze each option carefully to determine which metric best measures the financial effect of the generative AI chatbot on the company's operations: --- A) Number of customer inquiries handled What it measures: The total volume of customer inquiries the chatbot processes. Reasoning: While this shows usage or capacity, it does not directly measure financial impact. Handling more inquiries doesn't necessarily translate into cost savings or revenue changes without understanding efficiency or cost per inquiry. When useful: This metric is useful for assessing scale or demand but not financial effect. --- B) Cost of training AI models What it measures: The expense involved in developing and improving the AI chatbot. Reasoning: This is a one-time or periodic investment cost, important for budgeting but does not reflect ongoing operational financial impact or savings from deploying the chatbot. When useful: This is relevant when analyzing the upfront investment or R\&D costs, but it doesn’t show how the chatbot affects day-to-day financials. --- C) Cost for each customer conversation What it measures: The operational cost incurred per interaction handled by the chatbot. Reasoning:...

Author: Olivia · Last updated May 7, 2026

A company wants to find groups for its customers based on the customers' demographics and buying patterns. Which algor...

To determine the best algorithm for grouping customers based on demographics and buying patterns, let’s analyze each option with respect to key factors like the goal (grouping/clustering vs classification), data type, and whether labeled data is available. --- A) K-nearest neighbors (k-NN) Type: Supervised learning (classification/regression) Goal: Predicts the class of a new data point based on the majority class of its k nearest neighbors. Use case: When you have labeled data and want to classify or predict outcomes. Reasoning for rejection: The company wants to find groups (clusters) in data, which implies unsupervised learning (no predefined labels). k-NN is not suitable because it requires labeled data for classification. --- B) K-means Type: Unsupervised learning (clustering) Goal: Groups data points into k clusters based on similarity, often using Euclidean distance. Use case: When you want to segment or group data without prior labels — exactly the case for customer segmentation based on demographics and buying patterns. Reasoning for selection: The company wants to find groups in the data (unsupervised), and k-means is one of the most common and effective clustering algorithms for segmenting customers. --- C) Decision Tree Type: Supervised learning (classification/regression) Goal: Builds a tree model for predicting the class or value of a target variable based on input features. Use case: When labeled data is available and the goal is to p...

Author: Vikram · Last updated May 7, 2026

A company's large language model (LLM) is experiencing hallucinations. How can the company decrea...

To address hallucinations in a large language model (LLM), let's analyze each option based on key factors such as feasibility, effectiveness, and applicability: --- A) Set up Agents for Amazon Bedrock to supervise the model training. Reasoning: Amazon Bedrock Agents primarily assist with orchestration and managing interactions between multiple models or tools rather than directly supervising or improving the training quality of an LLM to reduce hallucinations. Why rejected: This option does not directly target hallucination reduction through model behavior adjustment or data quality improvement. It's more about workflow management than hallucination control. Scenario for use: Useful when coordinating multi-model pipelines or integrating LLMs with other systems, not for hallucination mitigation. --- B) Use data pre-processing and remove any data that causes hallucinations. Reasoning: Hallucinations often arise from training data with inaccuracies or inconsistencies. Cleaning training data can help reduce these issues. Challenges: Identifying hallucination-causing data can be extremely difficult at scale, as hallucinations sometimes emerge from complex patterns or gaps in data, not just bad data points. Scenario for use: Best applied during initial data curation or fine-tuning phases where data quality can be tightly controlled. Not always feasible for very large or diverse datasets. --- C) Decrease the temperature inference parameter for the model. Reasoning: The temperature parameter controls randomness in the output generation. L...

Author: Alexander · Last updated May 7, 2026

A company is using a large language model (LLM) on Amazon Bedrock to build a chatbot. The chatbot processes customer support requests. To resolve a request, the customer and the chatbot must interact a few times....

Let's analyze each option based on the key factor: enabling the LLM to utilize content from previous customer messages in a multi-turn conversation. --- A) Turn on model invocation logging to collect messages. What it does: This logs all requests and responses made to the model for audit, debugging, or analysis. Why not suitable: Logging is primarily for recording or monitoring. It does not feed previous conversation data back into the model during the interaction. Logging alone does not maintain or provide context for ongoing conversations. When to use: Useful for compliance, troubleshooting, or analyzing model usage but not for conversational context retention. --- B) Add messages to the model prompt. What it does: You explicitly include prior messages in the prompt sent to the model on each turn, effectively providing conversation history as context. Why suitable: This is the standard way to maintain conversation context with stateless LLMs. Since the model itself does not store conversation history between calls, you manage this externally and append it each time. When to use: Best practice for chatbots requiring multi-turn interactions to maintain context by passing the dialogue history as part of the prompt. --- C) Use Amazon Personalize to save conversation history. What it does: Amazon Pers...

Author: Liam123 · Last updated May 7, 2026

A company's employees provide product descriptions and recommendations to customers when customers call the customer service center. These recommendations are based on where the customers are located. The company wants to use...

Let's analyze each AWS service option based on the requirement: Requirement: Automate product descriptions and recommendations to customers during customer service calls. Recommendations depend on customer location. Use foundation models (FMs) for automation. --- A) Amazon Macie Purpose: Security service to discover, classify, and protect sensitive data in AWS (especially PII and data stored in S3). Relevance: Not designed for natural language generation or customer interaction automation. Conclusion: Not suitable for automating product recommendations or generating descriptions. Scenario use: When you need to identify and protect sensitive data in your data lakes. --- B) Amazon Transcribe Purpose: Automatic speech recognition (ASR) to convert speech to text. Relevance: Could convert customer calls to text but does not generate recommendations or product descriptions. Conclusion: Useful as a component to capture speech, but it alone cannot generate responses or recommendations based on location. Scenario use: When you need to transcribe voice calls or audio files into text. --- C) Amazon Bedrock Purpose: Provides access to foundation models (FMs) from various providers (e.g., Anthropic, AI21, Stability AI) without managing infrastructure. Enables bui...

Author: Maya2022 · Last updated May 7, 2026

A company wants to upload customer service email messages to Amazon S3 to develop a business analysis application. The messages sometimes contain sensitive data. The company wants to receive an alert every time sensitive information is found. Wh...

Let's analyze each option carefully based on the key factors: automation, development effort, sensitivity detection accuracy, and alerting capability. --- A) Configure Amazon Macie to detect sensitive information in the documents that are uploaded to Amazon S3. Pros: Amazon Macie is a fully managed data security and data privacy service designed specifically to discover, classify, and protect sensitive data in AWS. It can automatically scan new objects uploaded to S3 buckets. Macie has built-in sensitive data detection capabilities (e.g., PII, credit card numbers, etc.). It can generate alerts or findings automatically via AWS Security Hub, Amazon EventBridge, or SNS. Minimal development effort required since it is a managed service that handles the scanning and alerting pipeline. Cons: Pricing can be a consideration depending on data volume, but it's fully automated. Conclusion: This option meets the requirement of fully automated detection and alerting with minimal development effort. --- B) Use Amazon SageMaker endpoints to deploy a large language model (LLM) to redact sensitive data. Pros: LLMs can be powerful and flexible for custom sensitive data detection and redaction. Can be tailored to specific company needs and types of sensitive data. Cons: Requires significant development and ML expertise to train or fine-tune the model. Deployment and maintenance of the endpoint add operational overhead. Alerting on sensitive info would need custom logic to be implemented. Likely more costly and complex than necessary for straightforward PII detection. Conclusion: Not the best choice due to high development effort and operational complexity for a relatively standard use case. --...

Author: Rahul · Last updated May 7, 2026

HOTSPOT - A company is training its employees on how to structure prompts for foundation models. Select the correct prompt engineering technique from the following list for each...

Author: Andrew · Last updated May 7, 2026

Which option is a benefit of using Amazon SageMaker Model Cards to document AI models?

Let's analyze each option carefully, focusing on key factors relevant to Amazon SageMaker Model Cards and their primary purpose. --- Option A: Providing a visually appealing summary of a model's capabilities. Reasoning: While model cards often include summaries and sometimes visual elements to present model information clearly, their main benefit isn't about making things visually appealing. Visual appeal is secondary to accuracy and standardization. Scenario: This might be used in a presentation or report, but it is not the core function of SageMaker Model Cards. Rejection: The focus is on standardizing and documenting model metadata, not aesthetics. --- Option B: Standardizing information about a model's purpose, performance, and limitations. Reasoning: This is precisely what model cards are designed for. SageMaker Model Cards provide a structured and standardized way to document critical details about AI models, including their intended use cases, evaluation metrics, biases, ethical considerations, and known limitations. Scenario: Useful when multiple stakeholders (developers, auditors, regulators) need clear, consistent, and transparent information about a model’s behavior and constraints. Selected because: This improves model governance, transparency, reproducibility, and ethical AI practices...

Author: Oscar · Last updated May 7, 2026

What does an F1 score measure in the context of foundation model (FM) performance?

The F1 score is a metric that combines precision and recall into a single number, providing a balanced measure of a model’s accuracy, especially useful when the class distribution is imbalanced. --- Explanation of each option: A) Model precision and recall Selected The F1 score is the harmonic mean of precision (the accuracy of positive predictions) and recall (the ability to find all positive instances). It is widely used in classification tasks to evaluate model performance, especially when you want to balance false positives and false negatives. Scenario: When you want to evaluate how well the model balances identifying relevant instances without too many false alarms, such as in classification problems, information retrieval, or NLP tasks. --- B) Model speed in generating responses Rejected Speed or latency is a separate performance metric related to efficiency and does not involve precision or recall measures. F1 score doesn’t quantify time or ...

Author: Daniel · Last updated May 7, 2026

A company deployed an AI/ML solution to help customer service agents respond to frequently asked questions. The questions can change over time. The company wants to give customer service agents the ability to ask questions and receive automatically generat...

Let's analyze each option carefully in the context of the requirements: Requirements recap: The AI/ML solution helps customer service agents respond to FAQs. Questions can change over time (dynamic content). Agents ask questions and receive automatically generated answers. The solution needs to be cost-effective. --- A) Fine-tune the model regularly What it means: Regularly updating the model’s weights with new data so it "learns" new FAQs. Pros: The model becomes more tailored to current FAQs. Cons: Fine-tuning large models frequently is expensive and time-consuming. Requires significant compute resources, skilled data engineering, and data labeling pipelines. Suitability: Better for relatively static or slowly changing domains, or when very high accuracy on domain-specific language is needed. Reason to reject: Because FAQs change often, frequent fine-tuning is costly and inefficient. --- B) Train the model by using context data What it means: Training the model using context data (e.g., documents or logs) from scratch or a large retraining. Pros: Potentially creates a strong baseline for understanding domain knowledge. Cons: Training from scratch or heavy training requires huge resources, time, and data. Not practical for continuously changing FAQs. Suitability: For new domain adaptation or initial model development, but not for ongoing, dynamic updates. Reason to reject: Too costly and slow for frequently changing questions. --- C) Pre-train and benchmark the model by using context data What it means: Pre-train the model on context data, then benchmark it. Pros: Good for initial development and evaluation. Cons: Pre-training large language models is extremely expensive and generally done by large organizations or labs. Not practical for frequent content updates. Suitabili...

Author: SilverBear · Last updated May 7, 2026

A company built an AI-powered resume screening system. The company used a large dataset to train the model. The dataset contained resumes that were not representative of all demog...

Let's analyze the scenario and the options carefully: Scenario: An AI-powered resume screening system is trained on a large dataset. The dataset is not representative of all demographics. This means the model might perform well for some groups but poorly for others, leading to biased or unfair outcomes. --- Option A: Fairness Definition: Fairness in AI means ensuring that the system does not create or reinforce bias or discrimination against any group, especially protected or minority groups. Relevance: Since the dataset lacks demographic representativeness, the model is likely biased, unfairly disadvantaging some groups over others. This is a clear fairness issue. Key factor: Dataset representativeness affects fairness because bias in data leads to biased AI decisions. --- Option B: Explainability Definition: Explainability involves the AI system being able to provide understandable reasons for its decisions or predictions. Relevance: The issue here is not about the AI’s ability to explain its decisions but rather about bias from data. So this option is less relevant. When to use: Explainability is critical if the system’s decisions need to be interpretable by humans, for example in me...

Author: John · Last updated May 7, 2026

A global financial company has developed an ML application to analyze stock market data and provide stock market trends. The company wants to continuously monitor the application development phases and to ensure that company policies and industry regula...

Let's analyze each option in the context of the company's need to continuously monitor the ML application development phases and ensure compliance with company policies and industry regulations: --- A) AWS Audit Manager Purpose: Helps automate evidence collection to assess compliance with regulations and standards (e.g., GDPR, HIPAA, SOC). Why select? It is specifically designed to help organizations continuously audit and assess compliance requirements by mapping AWS resources against industry standards and internal policies. Use case scenario: Best for compliance management, continuous audit, and generating compliance reports based on AWS resource configurations and activities. --- B) AWS Config Purpose: Tracks AWS resource configurations and changes over time; provides rules to check resource compliance against policies. Why select? It enables continuous monitoring of AWS resource configurations and evaluates whether these comply with company policies or regulatory standards. Use case scenario: Useful for continuous compliance monitoring and detecting configuration drift, which helps enforce best practices during development and deployment phases. --- C) Amazon Inspector Purpose: Automated security assessment service that helps identify vulnerabilities and deviations from security best practices. Why reject? It focuses primarily on security vulnerability assessment of EC2 instances and container images, not b...

Author: Rahul · Last updated May 7, 2026

A company wants to improve the accuracy of the responses from a generative AI application. The application uses a foundation model (FM) on Amazon Bedrock....

Let's analyze each option in the context of improving accuracy for a generative AI application that uses a foundation model (FM) on Amazon Bedrock, focusing on cost-effectiveness, practicality, and typical scenarios where each option fits best. --- Option A: Fine-tune the FM What it is: Fine-tuning involves adjusting the pre-trained foundation model weights using domain-specific or task-specific data. Cost: Moderate. It requires some compute resources and data but significantly less than full training or retraining. Effectiveness: Often highly effective at improving accuracy for specialized use cases without needing full retraining. Use case: When you have a decent amount of relevant labeled data and want to adapt the model for your specific domain or task with relatively low cost and effort. Bedrock context: Amazon Bedrock supports fine-tuning or customizations on some foundation models, allowing tailored improvements without full model ownership complexity. --- Option B: Retrain the FM What it is: Retraining means starting from a pre-trained model checkpoint and training again, usually on a new or augmented dataset. Cost: High. Requires substantial compute resources and time. Effectiveness: Can improve accuracy but often close to fine-tuning results if you are just adapting to a new domain. Use case: Useful if the pre-trained FM is outdated or poorly matches your domain, but still expensive and usually unnecessary unless you have large, high-quality new data. Bedrock context: Typically, retraining a commercial FM is not feasible because foundation models are proprietary or very large. Bedrock focuses on inference and fine-tuning, not full retraining. --- Option C: Train a new FM What it is: Training a foundation model from scratch. Cost: Extremely high — requires massive datasets, expensive infrastructure, and time. Effectiveness: Could theoretically yield the best accuracy tailored to your domain, but practically very expensive and impractical for most companies. Use case: Large organizations with substantial AI expertise and resources, or ...

Author: Zara · Last updated May 7, 2026