Automatically detect and prevent hardcoded secrets within AWS CodeCommit repositories.

Link the CodeCommit repositories to Amazon CodeGuru Reviewer to detect secrets in source code or configuration files, such as passwords, API keys, SSH keys, and access tokens.

An Elastic Beanstalk application must not have any downtime during deployment and requires an easy rollback to the previous version if an issue occurs.

Set up Blue/Green deployment, deploy a new version on a separate environment then swap environment URLs on Elastic Beanstalk.

A new version of an AWS Lambda application is ready to be deployed and the deployment should not cause any downtime. A quick rollback to the previous Lambda version must be available.

Publish a new version of the Lambda function. After testing, use the production Lambda Alias to point to this new version.

In an AWS Lambda application deployment, only 10% of the incoming traffic should be routed to the new version to verify the changes before eventually allowing all production traffic.

Set up Canary deployment for AWS Lambda. Create a Lambda Alias pointed to the new Version. Set Weighted Alias value for this Alias as 10%.

An application hosted in Amazon EC2 instances behind an Application Load Balancer. You must provide a safe way to upgrade the version on Production and allow easy rollback to the previous version.

Launch the application in Amazon EC2 that runs the new version with an Application Load Balancer (ALB) in front. Use Route 53 to change the ALB A-record Alias to the new ALB URL. Rollback by changing the A-record Alias to the old ALB.

An AWS OpsWorks application needs to safely deploy its new version on the production environment. You are tasked to prepare a rollback process in case of unexpected behavior.

Clone the OpsWorks Stack. Test it with the new URL of the cloned environment. Update the Route 53 record to point to the new version.

A development team needs full access to AWS CodeCommit but they should not be able to create/delete repositories.

Assign the developers with the AWSCodeCommitPowerUser IAM policy

During the deployment, you need to run custom actions before deploying the new version of the application using AWS CodeDeploy.

Add lifecycle hook action BeforeAllowTraffic

Add lifecycle hook action AfterAllowTraffic

You need to set up AWS CodeBuild to automatically run after a pull request has been successfully merged using AWS CodeCommit

Create an Amazon EventBridge rule to detect pull requests and action set to trigger CodeBuild Project. Use AWS Lambda to update the pull request with the result of the project Build

You need to use AWS CodeBuild to create artifact and automatically deploy the new application version

Set CodeBuild to save artifact to S3 bucket. Use CodePipeline to deploy using CodeDeploy and set the build artifact from the CodeBuild output.

You need to upload the AWS CodeBuild artifact to Amazon S3

S3 bucket needs to have versioning and encryption enabled.

You need to review AWS CodeBuild Logs and have an alarm notification for build results on Slack

Send AWS CodeBuild logs to CloudWatch Log group. Create an Amazon EventBridge rule to detect the result of your build and target a Lambda function to send results to the Slack channel (or SNS notification)

Need to get a Slack notification for the status of the application deployments on AWS CodeDeploy

Create an Amazon EventBridge rule to detect the result of CodeDeploy job and target a notification to AWS SNS or a Lambda function to send results to Slack channel

Need to run an AWS CodePipeline every day for updating the development progress status

Create an Amazon EventBridge rule to run on schedule every day and set a target to the AWS CodePipeline ARN

Automate deployment of a Lambda function and test for only 10% of traffic for 10 minutes before allowing 100% traffic flow.

Use CodeDeploy and select deployment configuration CodeDeployDefault.LambdaCanary10Percent10Minutes

Deployment of Elastic Beanstalk application with absolutely no downtime. The solution must maintain full compute capacity during deployment to avoid service degradation.

Choose the “Rolling with additional Batch” deployment policy in Elastic Beanstalk

Deployment of Elastic Beanstalk application where the new version must not be mixed with the current version.

Choose the “Immutable deployments” deployment policy in Elastic Beanstalk

The resources on the parent CloudFormation stack need to be referenced by other nested CloudFormation stacks

Use Export on the Output field of the main CloudFormation stack and use Fn::ImportValue function to import the value on the other stacks

On which part of the CloudFormation template should you define the artifact zip file on the S3 bucket?

The artifact file is defined on the AWS::Lambda::Function code resource block

Need to define the AWS Lambda function inline in the CloudFormation template

On the AWS::Lambda::Function code resource block, the inline function must be enclosed inside the ZipFile section.

Use CloudFormation to update Auto Scaling Group and only terminate the old instances when the newly launched instances become fully operational

Set AutoScalingReplacingUpdate : WillReplace property to TRUE to have CloudFormation retain the old ASG until the instances on the new ASG are healthy.  

You need to scale-down the EC2 instances at night when there is low traffic using OpsWorks.

Create Time-based instances for automatic scaling of predictable workload.

Can’t install an agent on on-premises servers but need to collect information for migration

Deploy the Agentless Discovery Connector VM on your on-premises data center to collect information.

Syntax for CloudFormation with an Amazon ECS cluster with ALB

Use the AWS::ECS::Service element for the ECS Cluster,
AWS::ECS::TaskDefinition element for the ECS Task Definitions, and the AWS::ElasticLoadBalancingV2
::LoadBalancer element for the ALB.

Need to centralize audit and collect configuration setting on all regions of multiple accounts

Setup an Aggregator on AWS Config.

Consolidate CloudTrail log files from multiple AWS accounts

Create a central S3 bucket with bucket policy to grant cross-account permission. Set this as destination bucket on the CloudTrail of the other AWS accounts.

Ensure that CloudTrail logs on the S3 bucket are protected and cannot be tampered with.

Enable Log File Validation on CloudTrail settings

Need to collect/investigate application logs from EC2 or on-premises server

Install the unified CloudWatch Agent to send the logs to CloudWatch Logs for storage and viewing.

Need to review logs from running ECS Fargate tasks

Enable awslogs log driver on the Task Definition and add the required logConfiguration parameter.

Need to run real-time analysis for collected application logs

Send logs to CloudWatch Logs, create a Lambda subscription filter, Elasticsearch subscription filter, or Kinesis stream filter.

Need to be automatically notified if you are reaching the limit of running EC2 instances or limit of Auto Scaling Groups

Track service limits with Trusted Advisor on CloudWatch Alarms using the ServiceLimitUsage metric.

Need a near real-time dashboard with a feature to detect violations for compliance

Use AWS Config to record all configuration changes and store the data reports to Amazon S3. Use Amazon QuickSight to analyze the dataset.

Need to monitor the latest Common Vulnerabilities and Exposures (CVE) of EC2 instances.

Use Amazon Inspector to automate security vulnerability assessments to test the network accessibility of the EC2 instances and the security state of applications that run on the instances.

Need to secure the buildspec.yml file which contains the AWS keys and database password stored in plaintext.

Store these values as encrypted parameter on SSM Parameter Store.

Using default IAM policies for AWSCodeCommitPowerUser but must be limited to a specific repository only

Attach additional policy with Deny rule and custom condition if it does not match the specific repository or branch

You need to secure an S3 bucket by ensuring that only HTTPS requests are allowed for compliance purposes.

Create an S3 bucket policy that Deny if checks for condition aws:SecureTransport is false

Need to store a secret, database password, or variable, in the most cost-effective solution

Store the variable on SSM Parameter Store and enable encryption

Need to generate a secret password and have it rotated automatically at regular intervals

Store the secret on AWS Secrets Manager and enable key rotation.

Several team members, with designated roles, need to be granted permission to use AWS resources

Assign AWS managed policies on the IAM accounts such as, ReadOnlyAccess, AdministratorAccess, PowerUserAccess

Apply latest patches on EC2 and automatically create an AMI

Use Systems Manager automation to execute an Automation Document that installs OS patches and creates a new AMI.

Need to have a secure SSH connection to EC2 instances and have a record of all commands executed during the session

Install SSM Agent on EC2 and use SSM Session Manager for the SSH access. Send the session logs to S3 bucket or CloudWatch Logs for auditing and review.

Ensure that the managed EC2 instances have the correct application version and patches installed.

Use SSM Inventory to have a visibility of your managed instances and identify their current configurations.

Apply custom patch baseline from a custom repository and schedule patches to managed instances

Use SSM Patch Manager to define a custom patch baseline and schedule the application patches using SSM Maintenance Windows

There are missing assets in File Gateway but exist directly in the S3 bucket

Run the RefreshCache command for Storage Gateway to refresh the cached inventory of objects for the specified file share.

Need to filter a certain event in CloudWatch Logs

Set up a CloudWatch metric filter to search the particular events.

Need to get a notification if somebody deletes files in your S3 bucket

Setup Amazon S3 Event Notifications to get notifications based on specified S3 events on a particular bucket.

Need to be notified when an RDS Multi-AZ failover happens

Setup Amazon RDS Event Notifications to detect specific events on RDS.

Get a notification if somebody uploaded IAM access keys on any public GitHub repositories

Create an Amazon EventBridge rule for the AWS_RISK_CREDENTIALS_EXPOSED event from AWS Health Service. Use AWS Step Functions to automatically delete the IAM key.

Get notified on Slack when your EC2 instance is having an AWS-initiated maintenance event

Create an Amazon EventBridge rule for the AWS Health Service to detect EC2 Events. Target a Lambda function that will send a notification to the Slack channel

Get notified of any AWS maintenance or events that may impact your EC2 or RDS instances

Create an Amazon EventBridge rule for detecting any events on AWS Health Service and send a message to an SNS topic or invoke a Lambda function.

Monitor scaling events of your Amazon EC2 Auto Scaling Group such as launching or terminating an EC2 instance.

Use Amazon EventBridge Events for monitoring the Auto Scaling Service and monitor the EC2 Instance-Launch Successful and EC2 Instance-Terminate Successful events.

View object-level actions of S3 buckets such as upload or deletion of object in CloudTrail

Set up Data events on your CloudTrail trail to record object-level API activity on your S3 buckets.

Execute a custom action if a specific CodePipeline stage has a FAILED status

Create an Amazon EventBridge rule to detect failed state on the CodePipeline service, and set a target to SNS topic for notification or invoke a Lambda function to perform custom action.

Automatically rollback a deployment in AWS CodeDeploy when the number of healthy instances is lower than the minimum requirement.

On CodeDeploy, create a deployment alarm that is integrated with Amazon CloudWatch. Track the MinimumHealthyHosts metric for the threshold of EC2 instances and trigger the rollback if the alarm is breached.

Need to complete QA testing before deploying a new version to the production environment

Add a Manual approval step on AWS CodePipeline, and instruct the QA team to approve the step before the pipeline can resume the deployment.

Get notified for OpsWorks auto-healing events

Create an Amazon EventBridge rule for the OpsWorks Service to track the auto-healing events

Need to deploy stacks across multiple AWS accounts and regions

Use AWS CloudFormation StackSets to extend the capability of stacks to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation.

Need to ensure that both the application and the database are running in the event that one Availability Zone becomes unavailable.

Deploy your application on multiple Availability Zones and set up your Amazon RDS database to use Multi-AZ Deployments.

In the event of an AWS Region outage, you have to make sure that both your application and database will still be running to avoid any service outages.

Create a copy of your deployment on the backup AWS region. Set up an RDS Read-Replica on the backup region.

Automatically switch traffic to the backup region when your primary AWS region fails

Set up Route 53 Failover routing policy with health check enabled on your primary region endpoint.

Need to ensure the availability of a legacy application running on a single EC2 instance

Set up an Auto Scaling Group with MinSize=1 and MaxSize=1 configuration to set a fixed count and ensure that it will be replaced when the instance becomes unhealthy

Ensure that every EC2 instance on an Auto Scaling group downloads the latest code first before being attached to a load balancer

Create an Auto Scaling Lifecycle hook and configure the Pending:Wait hook with the action to download all necessary packages.

Ensure that all EC2 instances on an Auto Scaling group upload all log files in the S3 bucket before being terminated.

Use the Auto Scaling Lifecycle and configure the Terminating:Wait hook with the action to upload all logs to the S3 bucket.