NEW QUESTION 1
You run accounting software in the AWS cloud. This software needs to be online continuously during the day every day of the week, and has a very static requirement for compute resources. You also have other, unrelated batch jobs that need to run once per day at anytime of your choosing. How should you minimize cost?

• A. Purchase a Heavy Utilization Reserved Instance to run the accounting softwar
• B. Turn it off after hour
• C. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs.
• D. Purch ase a Medium Utilization Reserved Instance to run the accounting softwar
• E. Turn it off after hour
• F. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs.
• G. Purchase a Light Utilization Reserved Instance to run the accounting softwar
• H. Turn it off after hour
• I. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs.
• J. Purch ase a Full Utilization Reserved Instance to run the accounting softwar
• K. Turn it off after hour
• L. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs.

Answer: A

Explanation:
Reserved Instances provide you with a significant discount compared to On-Demand Instance pricing.
Reserved Instances are not physical instances, but rather a
billing discount applied to the use of On-Demand Instances in your account. These On-Demand Instances must match certain attributes in order to benefit from the
billing discount
For more information, please refer to the below link:
• https://aws.amazon.com/about-aws/whats-new/2011/12/01/New-Amazon-CC2-Reserved- lnstances-Options-Now-Available/
• https://aws.amazon.com/blogs/aws/reserved-instance-options-for-amazon-ec2/
• http://docs.aws.a mazon.com/AWSCC2/latest/UserGuide/ec2-reserved-instances.html Note:
It looks like these options are also no more available at present.
It looks like Convertible, Standard and scheduled are the new instance options. However the exams may still be referring to the old RIs. https://aws.amazon.com/ec2/pricing/reserved-instances/

NEW QUESTION 2
Which of the below services can be used to deploy application code content stored in Amazon S3 buckets, GitHub repositories, or Bitbucket repositories

• A. CodeCommit
• B. CodeDeploy
• C. S3Lifecycles
• D. Route53

Answer: B

Explanation:
The AWS documentation mentions
AWS CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances or on-premises instances in your own facility.
For more information on Code Deploy please refer to the below link:
• http://docs.ws.amazon.com/codedeploy/latest/userguide/welcome.html

NEW QUESTION 3
You need the absolute highest possible network performance for a cluster computing application. You already selected homogeneous instance types supporting 10 gigabit enhanced networking, made sure that your workload was network bound, and put the instances in a placement group. What is the last optimization you can make?

• A. Use 9001 MTU instead of 1500 for Jumbo Frames, to raise packet body to packet overhead ratios.
• B. Segregate the instances into different peered VPCs while keeping them all in a placement group, so each one has its own Internet Gateway.
• C. Bake an AMI for the instances and relaunch, so the instances are fresh in the placement group and do not have noisy neighbors.
• D. Turn off SYN/ACK on your TCP stack or begin using UDP for higher throughput.

Answer: A

Explanation:
Jumbo frames allow more than 1500 bytes of data by increasing the payload size per packet, and thus increasing the percentage of the packet that is not packet
overhead. Fewer packets are needed to send the same amount of usable data. However, outside of a given AWS region (CC2-Classic), a single VPC, or a VPC peering
connection, you will experience a maximum path of 1500 MTU. VPN connections and traffic sent over an Internet gateway are limited to 1500 MTU. If packets are over
1500 bytes, they are fragmented, or they are dropped if the Don't Fragment flag is set in the IP header.
For more information on Jumbo Frames, please visit the below URL: http://docs.aws.amazon.com/AWSCC2/latest/UserGuide/network_mtu.htm#jumbo_frame_instance s

NEW QUESTION 4
Which of the following is false when it comes to using the Elastic Load balancer with Opsworks stacks?

• A. Youcan attach only one load balancer to a layer.
• B. A Classic Load Balancer can span across AWSOpsWorks Stacks layers.
• C. Eachload balancer can handle only one layer.
• D. Youneed to create the load balancer before hand and then attach it to the Opsworkstack.

Answer: B

Explanation:
The AWS Documentation mentions the following
To use Clastic Load Balancing with a stack, you must first create one or more load balancers in the same region by using the Clastic Load Balancing console, CLI, or API. You should be aware of the following:
You can attach only one load balancer to a layer. Cach load balancer can handle only one layer.
AWS OpsWorks Stacks does not support Application Load Balancer. You can only use Classic Load Balancer with AWS OpsWorks Stacks. For more information on Clastic Load Balancer with Opswork,
please visit the below url http://docs.aws.a mazon.com/opsworks/latest/userguide/layers-elb.html

NEW QUESTION 5
You need to deploy an AWS stack in a repeatable manner across multiple environments. You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation. How should you overcome this challenge?

• A. Use a CloudFormation Custom Resource Template by selecting an API call to proxy for create, update, and delete action
• B. CloudFormation will use the AWS SDK, CLI, or API method of your choosing as the state transition function for the resource type you are modeling.
• C. Submit a ticket to the AWS Forum
• D. AWS extends CloudFormation Resource Types by releasing tooling to the AWS Labs organization on GitHu
• E. Their response time is usually 1 day, and theycomplete requests within a week or two.
• F. Instead of depending on CloudFormation, use Chef, Puppet, or Ansible to author Heat templates, which are declarative stack resource definitions that operate over the OpenStack hypervisor and cloud environment.
• G. Create a CloudFormation Custom Resource Type by implementing create, update, and delete functionality, either by subscribing a Custom Resource Provider to an SNS topic, or by implementing the logic in AWS Lambda.

Answer: D

Explanation:
Custom resources enable you to write custom provisioning logic in templates that AWS Cloud Formation runs anytime you create, update (if you changed the custom resource), or delete stacks. For example, you might want to include resources that aren't available as AWS Cloud Formation resource types. You can include those resources by using custom resources. That way you can still manage all your related resources in a single stack.
Use the AWS:: Cloud Formation:: Custom Resource or Custom ::String resource type to define custom resources in your templates. Custom resources require one property: the service token, which specifies where AWS CloudFormation sends requests to, such as an Amazon SNS topic.
For more information on Custom Resources in Cloudformation, please visit the below U RL: http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/template-custom- resources.html

NEW QUESTION 6
What is web identity federation?

• A. Use of an identity provider like Google or Facebook to become an AWS1AM User.
• B. Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials.
• C. Use of AWS 1AM Usertokens to log in as a Google or Facebook user.
• D. Use STS service to create an user on AWS which will allow them to login from facebook orgoogle app.

Answer: B

Explanation:
With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) — such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an 1AM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and distribute long- term security credentials with your application. For more information on Web Identity federation please refer to the below link:
http://docs^ws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

NEW QUESTION 7
Which of the following can be configured as targets for Cloudwatch Events. Choose 3 answers from
the options given below

• A. AmazonEC2 Instances
• B. AWSLambda Functions
• C. AmazonCodeCommit
• D. AmazonECS Tasks

Answer: ABD

Explanation:
The AWS Documentation mentions the below
You can configure the following AWS sen/ices as targets for Cloud Watch Events

For more information on Cloudwatch events please see the below link:
• http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents.htmI

NEW QUESTION 8
Your application has an Auto Scaling group of three EC2 instances behind an Elastic Load Balancer. Your Auto Scalinggroup was updated with a new launch configuration that refers to an updated AMI. During the deployment, customers complained that they were receiving several errors even though all instances passed the ELB health checks. How can you prevent this from happening again?

• A. Createa new ELB and attach the Autoscaling Group to the ELB
• B. Createa new launch configuration with the updated AMI and associate it with the AutoScaling grou
• C. Increase the size of the group to six and when instances becomehealthy revert to three.
• D. Manuallyterminate the instances with the older launch configuration.
• E. Updatethe launch configuration instead of updating the Autoscaling Group

Answer: B

Explanation:
An Auto Scaling group is associated with one launch configuration at a time, and you can't modify a launch configuration after you've created it. To change the launch configuration for an Auto Scaling group, you can use an existing launch configuration as the basis for a new launch configuration and then update the Auto Scaling group to use the new launch configuration.
After you change the launch configuration for an Auto Scaling group, any new instances are launched using the new configuration options, but existing instances are not affected.
Then to ensure the new instances are launches, change the size of the Autoscaling Group to 6 and once the new instances are launched, change it back to 3.
For more information on instances scale-in process and Auto Scaling Group's termination policies please view the following link:
• https://docs^ws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#default- termination-policy For more information on changing the launch configuration please see the below link:
• http://docs.aws.amazon.com/autoscaling/latest/userguide/change-launch-config.html

NEW QUESTION 9
You have an application running on an Amazon EC2 instance and you are using 1AM roles to securely access AWS Service APIs. How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs?

• A. When assigning an EC21AM role to your instance in the console, in the "Chosen SDK" drop-down list, select the SDK that you are using, and the instance will configure the correct SDK on launch with the API keys.
• B. Within your application code, make a GET request to the 1AM Service API to retrieve credentials for your user.
• C. When using AWS SDKs and Amazon EC2 roles, you do not have to explicitly retrieve API keys, because the SDK handles retrieving them from the Amazon EC2 MetaData service.
• D. Within your application code, configure the AWS SDK to get the API keys from environment variables, because assigning an Amazon EC2 role stores keys in environment variables on launch.

Answer: C

Explanation:
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that
the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using 1AM roles
For more information on Roles for CC2 please refer to the below link: http://docs.aws.amazon.com/AWSCC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

NEW QUESTION 10
You are writing an AWS Cloud Formation template and you want to assign values to properties that will not be available until runtime. You know that you can use intrinsic functions to do this but are unsure as to which part of the template they can be used in. Which of the following is correct in describing how you can currently use intrinsic functions in an AWS CloudFormation template?

• A. Youcan use intrinsic functions in any part of a template.
• B. Youcan only use intrinsic functions in specific parts of a templat
• C. You can useintrinsic functions in resource properties, metadata attributes, and updatepolicy attributes.
• D. Youcan use intrinsic functions only in the resource properties part of a template.
• E. Youcanuse intrinsic functions in any part of a template, exceptAWSTemplateFormatVersion and Description.

Answer: B

Explanation:
This is clearly given in the aws documentation. Intrinsic Function Reference
AWS Cloud Formation provides several built-in functions that help you manage your stacks. Use intrinsic functions in your templates to assign values to properties that are not available until runtime. Note
You can use intrinsic functions only in specific parts of a template. Currently, you can use intrinsic functions in resource properties, outputs, metadata attributes, and update policy attributes. You can also use intrinsic functions to conditionally create stack resources. For more information on intrinsic function please refer to the below link https://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/intrinsic-function -reference, html

NEW QUESTION 11
Which of the following tools for EC2 can be used to administer instances without the need to SSH or RDP into the instance.

• A. AWSConfig
• B. AWSCodePipeline
• C. RunCommand
• D. EC2Config

Answer: C

Explanation:
You can use Run Command from the Amazon L~C2 console to configure instances without having to login to each instance
For more information on the Run Command, please visit the below URL:
• http://docs.aws.a mazon.com/systems-manager/latest/userguide/rc-console.html

NEW QUESTION 12
You have an asynchronous processing application usingan Auto Scaling Group and an SQS Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion velocity of the jobs has gone down, the Auto Scaling Group size has maxec out, but the inbound job velocity did not increase. What is a possible issue?

• A. Some of the new jobs coming in are malformed and unprocessable.
• B. The routing tables changed and none of the workers can process events anymore.
• C. Someone changed the 1AM Role Policy on the instances in the worker group and broke permissions to access the queue.
• D. The scaling metric is not functioning correctly.

Answer: A

Explanation:
This question is more on the grounds of validating each option
Option B is invalid, because the Route table would have an effect on all worker processes and no jobs would have been completed.
Option C is invalid because if the 1AM Role was invalid then no jobs would be completed.
Option D is invalid because the scaling is happening, its just that the jobs are not getting completed. For more information on Scaling on Demand, please visit the below URL:
• http://docs.aws.a mazon.com/autoscaling/latest/userguide/as-scale-based-on-demand.html

NEW QUESTION 13
Which of the following design strategies is ideal when designing loosely coupled systems. Choose 2 answers from the options given below

• A. Having the web and worker roles running on the same set of EC2 Instances
• B. Having the web and worker roles running on separate EC2 Instances
• C. Using SNS to establish communication between the web and worker roles
• D. Using SQS to establish communication between the web and worker roles

Answer: BD

Explanation:
The below diagram shows the ideal design which uses SQS and separate environments for web and worker processes. The SQS queue manages the communication between the web and worker roles.

One example is the way Elastic beanstalk manages worker environments. For more information on
this, please visit the below URL:
◆ http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.htmI

NEW QUESTION 14
You have been requested to use CloudFormation to maintain version control and achieve automation for the applications in your organization. How can you best use CloudFormation to keep everything agile and maintain multiple environments while keeping cost down?

• A. Create separate templates based on functionality, create nested stacks with CloudFormation.
• B. Use CloudFormation custom resources to handle dependencies between stacks
• C. Create multiple templates in one CloudFormation stack.
• D. Combine all resources into one template for version control and automation.

Answer: A

Explanation:
As your infrastructure grows, common patterns can emerge in which you declare the same components in each of your templates. You can separate out these common components and create dedicated templates for them. That way, you can mix and match different templates but use nested stacks to create a single, unified stack. Nested stacks are stacks that create other stacks. To create nested stacks, use the AWS:: Cloud Form ation::Stackresource in your template to reference
other templates. For more information on Cloudformation best practises please refer to the below link:
http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/best-practices.html

NEW QUESTION 15
The AWS Code Deploy service can be used to deploy code from which of the below mentioned source repositories. Choose 3 answers from the options given below

• A. S3Buckets
• B. GitHubrepositories
• C. Subversionrepositories
• D. Bit bucket repositories

Answer: ABD

Explanation:
The AWS documentation mentions the following
You can deploy a nearly unlimited variety of application content, such as code, web and configuration files, executables, packages, scripts, multimedia files, and so on. AWS CodeDeploy can deploy application content stored in Amazon S3 buckets, GitHub repositories, or Bitbucket repositories. You do not need to make changes to your existing code before you can use AWS CodeDeploy.
For more information on AWS Code Deploy, please refer to the below link:
• http://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html

NEW QUESTION 16
You are building a mobile app for consumers to post cat pictures online. You will be storing the images in AWS S3. You want to run the system very cheaply and simply. Which one of these options allows you to build a photo sharing application with the right authentication/authorization implementation.

• A. Build the application out using AWS Cognito and web identity federation to allow users to log in using Facebook or Google Account
• B. Once they are logged in, the secret token passed to that user is used to directly access resources on AWS, like AWS S3. ^/
• C. Use JWT or SAML compliant systems to build authorization policie
• D. Users log in with a username and password, and are given a token they can use indefinitely to make calls against the photo infrastructure.C Use AWS API Gateway with a constantly rotating API Key to allow access from the client-sid
• E. Construct a custom build of the SDK and include S3 access in it.
• F. Create an AWS oAuth Service Domain ad grant public signup and access to the domai
• G. During setup, add at least one major social media site as a trusted Identity Provider for users.

Answer: A

Explanation:
Amazon Cognito lets you easily add user sign-up and sign-in and manage permissions for your mobile and web apps. You can create your own user directory within Amazon Cognito. You can also choose to authenticate users through social identity providers such as Facebook, Twitter, or Amazon; with SAML identity solutions; or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users' devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users' devices so that their app experience remains consistent regardless of the device they use.
For more information on AWS Cognito, please visit the below URL:
• http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html

NEW QUESTION 17
You need to perform ad-hoc business analytics queries on well-structured data. Data comes in
constantly at a high velocity. Your business intelligence team can understand SQL.
What AWS service(s) should you look to first?

• A. Kinesis Firehose + RDS
• B. Kinesis Firehose+RedShift
• C. EMR using Hive
• D. EMR running Apache Spark

Answer: B

Explanation:
Amazon Kinesis Firehose is the easiest way to load streaming data into AWS. It can capture, transform, and load streaming data into Amazon Kinesis Analytics, Amazon S3, Amazon Redshift, and Amazon Oasticsearch Sen/ice, enabling near real-time analytics with existing business intelligence tools and
dashboards you're already using today. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing
administration. It can also batch, compress, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.
For more information on Kinesis firehose, please visit the below URL:
• https://aws.amazon.com/kinesis/firehose/
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data to acquire new insights for your business and customers. For more information on Redshift, please visit the below URL:
http://docs.aws.amazon.com/redshift/latest/mgmt/welcome.html

NEW QUESTION 18
You have an application hosted in AWS. This application was created using Cloudformation Templates and Autoscaling. Now your application has got a surge of users which is decreasing the performance of the application. As per your analysis, a change in the instance type to C3 would resolve the issue. Which of the below option can introduce this change while minimizing downtime for end users?

• A. Copy the old launch configuration, and create a new launch configuration with the C3 instance
• B. Update the Auto Scalinggroup with the new launch configuratio
• C. Auto Scaling will then update the instance type of all running instances.
• D. Update the launch configuration in the AWS CloudFormation template with the new C3 instance typ
• E. Add an UpdatePolicy attribute to the Auto Scaling group that specifies an AutoScalingRollingUpdat
• F. Run a stack update with the updated template.
• G. Update the existing launch configuration with the new C3 instance typ
• H. Add an UpdatePolicy attribute to your Auto Scalinggroup that specifies an AutoScaling RollingUpdate in order to avoid downtime.
• I. Update the AWS CloudFormation template that contains the launch configuration with the new C3 instance typ
• J. Run a stack update with the updated template, and Auto Scaling will then update the instances one at a time with the new instance type.

Answer: B

Explanation:
Ensure first that the cloudformation template is updated with the new instance type.
The AWS::AutoScaling::AutoScalingGroup resource supports an UpdatePoIicy attribute. This is used to define how an Auto Scalinggroup resource is updated when
an update to the Cloud Formation stack occurs. A common approach to updating an Auto Scaling group is to perform a rolling update, which is done by specifying
the AutoScalingRollingUpdate policy. This retains the same Auto Scaling group and replaces old instances with new ones, according to the parameters specified.
Option A is invalid because this will cause an interruption to the users.
Option C is partially correct, but it does not have all the steps as mentioned in option B.
Option D is partially correct, but we need the AutoScalingRollingUpdate attribute to ensure a rolling update is peformed.
For more information on AutoScaling Rolling updates please refer to the below link:
• https://aws.amazon.com/premiumsupport/knowledge-center/auto-scaling-group-rolling- updates/

NEW QUESTION 19
You have an application which consists of EC2 instances in an Auto Scaling group. Between a particular time frame every day, there is an increase in traffic to your website. Hence users are complaining of a poor response time on the application. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU utilization is greater than 60% for 2 consecutive periods of 5 minutes. What is the least cost-effective way to resolve this problem?

• A. Decrease the consecutive number of collection periods
• B. Increase the minimum number of instances in the Auto Scaling group
• C. Decrease the collection period to ten minutes
• D. Decrease the threshold CPU utilization percentage at which to deploy a new instance

Answer: B

Explanation:
If you increase the minimum number of instances, then they will be running even though the load is not high on the website. Hence you are incurring cost even though there is no need.
All of the remaining options are possible options which can be used to increase the number of instances on a high load.
For more information on On-demand scaling, please refer to the below link: http://docs.aws.amazon.com/autoscaling/latest/userguide/as-scale-based-on-demand.html
Note: The tricky part where the question is asking for 'least cost effective way". You got the design consideration correctly but need to be careful on how the question is phrased.

NEW QUESTION 20
For AWS Auto Scaling, what is the first transition state an instance enters after leaving steady state when scaling in due to health check failure or decreased load?

• A. Terminating
• B. Detaching
• C. Terminating:Wait
• D. EnteringStandby

Answer: A

Explanation:
The below diagram shows the Lifecycle policy. When the scale-in happens, the first action is the Terminating action.

For more information on Autoscaling Lifecycle, please refer to the below link: http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScaingGroupLifecycle.html

NEW QUESTION 21
Which of the following is not a component of Elastic Beanstalk?

• A. Application
• B. Environment
• C. Docker
• D. ApplicationVersion

Answer: C

Explanation:
Answer - C
The following are the components of Clastic Beanstalk
1) Application - An Clastic Beanstalk application is a logical collection of Clastic Beanstalk components, including environments, versions, and environment configurations. In Clastic Beanstalk an application is conceptually similar to a folder
2) Application version - In Clastic Beanstalk, an application version refers to a specific, labeled iteration of deployable code for a web application
3) environment - An environment is a version that is deployed onto AWS resources. Cach environment runs only a single application version at a time, however you can run the same version or different versions in many environments at the same time.
4) environment Configuration - An environment configuration identifies a collection of parameters and settings that define how an environment and its associated resources behave.
5) Configuration Template - A configuration template is a starting point for creating unique environment configurations. For more information on the components of Clastic beanstalk please refer to the below link
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.components.html

NEW QUESTION 22
Which Auto Scaling process would be helpful when testing new instances before sending traffic to them, while still keeping them in your Auto Scaling Group?

• A. Suspend the process AZ Rebalance
• B. Suspend the process Health Check
• C. Suspend the process Replace Unhealthy
• D. Suspend the process AddToLoadBalancer

Answer: D

Explanation:
If you suspend Ad dTo Load Balancer, Auto Scaling launches the instances but does not add them to the load balancer or target group. If you resume
the AddTo Load Balancer process. Auto Scaling resumes adding instances to the load balancer or target group when they are launched. However, Auto Scaling does
not add the instances that were launched while this process was suspended. You must register those
instances manually.
Option A is invalid because this just balances the number of CC2 instances in the group across the Availability Zones in the region
Option B is invalid because this just checks the health of the instances. Auto Scaling marks an instance as unhealthy if Amazon CC2 or Clastic Load Balancing tells
Auto Scaling that the instance is unhealthy.
Option C is invalid because this process just terminates instances that are marked as unhealthy and later creates new instances to replace them.
For more information on process suspension, please refer to the below document link: from AWS http://docs.aws.amazon.com/autoscaling/latest/userguide/as-suspend-resume-processes.html

NEW QUESTION 23
Your company owns multiple AWS accounts. There is currently one development and one production account. You need to grant access to the development team to an S3 bucket in the production account. How can you achieve this?

• A. Createan 1AM user in the Production account that allows users from the Developmentaccount (the trusted account) to access the S3 bucket in the Productionaccount.
• B. When creating the role, define the Development account as a trustedentity and specify a permissions policy that allows trusted users to update theS3 bucket.
• C. Use web identity federation with a third-partyidentity provider with AWS STS to grant temporary credentials and membershipinto the production 1AM user.
• D. Createan 1AM cross account role in the Production account that allows users from theDevelopment account to access the S3 bucket in the Production account.

Answer: D

Explanation:
The AWS Documentation mentions the following on cross account roles
You can use AWS Identity and Access Management (1AM) roles and AWS Security Token Service (STS) to set up cross-account access between AWS accounts. When you assume an 1AM role in another AWS account to obtain cross-account access to services and resources in that account, AWS CloudTrail logs the cross-account activity. For more information on Cross account roles, please visit the below URL
• http://docs.aws.a mazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.htm I

NEW QUESTION 24
......