AWS Secrets Manager is a service that helps securely store, rotate, and manage secrets such as API

keys, passwords, and tokens. The developer can store the API credentials in AWS Secrets Manager

and retrieve them at runtime by using the AWS SDK. This solution will meet the requirements of

security, code management, and performance. Storing the API credentials in a local code variable or

an S3 object is not secure, as it exposes the credentials to unauthorized access or leakage. Storing the

API credentials in a DynamoDB table is also not secure, as it requires additional encryption and

access control measures. Moreover, retrieving the credentials from S3 or DynamoDB may affect

application performance due to network latency.

Reference:

[What Is AWS Secrets Manager? - AWS Secrets Manager]

[Retrieving a Secret - AWS Secrets Manager]

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on

their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing

multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as

the sort key.

Reference:

Amazon DynamoDB

BatchGetItem: https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchGetI

tem.ht

This solution allows the environment variables to be passed to the container when it is launched by

AWS Fargate using Amazon ECS. The task definition is a text file that describes one or more

containers that form an application. It contains various parameters for configuring the containers,

such as CPU and memory requirements, network mode, and environment variables. The

environment parameter is an array of key-value pairs that specify environment variables to pass to a

container. Defining an array that includes the environment variables under the entryPoint parameter

within the task definition will not pass them to the container, but use them as command-line

arguments for overriding the default entry point of a container. Defining an array that includes the

environment variables under the environment or entryPoint parameter within the service definition

will not pass them to the container, but cause an error because these parameters are not valid for a

service definition.

Reference: [Task Definition Parameters], [Environment Variables]

The Immutable deployment method is the best choice when a company requires minimal downtime

and automatic rollback in case of a failure. Here's why:

In Immutable deployments, a new set of instances is launched with the updated version. These

instances are tested and validated before they replace the old instances. This ensures zero downtime

and immediate rollback if the deployment fails.

All at once (A) causes downtime because the update replaces all instances simultaneously.

Rolling deployments (B) update a few instances at a time, but if a failure occurs midway, downtime or

partial unavailability can happen.

Snapshots (C) are not a deployment strategy in Elastic Beanstalk.

Reference:

Elastic Beanstalk Deployment Policies

Step 1: Understanding the Requirements

Gradual Traffic Shift: Test the new version by routing only 10% of production traffic to it.

Lambda Deployment: Use versioning and aliases to manage Lambda function updates.

Step 2: Solution Analysis

Option A:

Publishing a new version creates an immutable version of the Lambda function with the updated

code.

This is a prerequisite for deploying changes using weighted aliases.

Correct option.

Option B:

API Gateway stages are not used for weighted routing; they represent environments like "dev" or

"prod."

Weighted routing is implemented using Lambda aliases, not API Gateway stages.

Not suitable.

Option C:

Lambda aliases allow traffic to be split between versions using weighted routing.

Assign a 90% weight to the old version and 10% to the new version to implement the gradual rollout.

Correct option.

Option D:

Network Load Balancers are not suitable for managing Lambda function traffic directly.

Not applicable.

Option E:

Route 53 routing policies apply at the DNS level and are not designed for Lambda version

management.

Not suitable.

Step 3: Implementation Steps

Publish a New Version:

Publish the updated Lambda function code as a new version.

Create an Alias and Configure Weighted Routing:

Create an alias (e.g., prod) and associate it with both the old and new versions.

Set weights for traffic distribution:

aws lambda update-alias --function-name my-function \

--name prod --routing-config '{"AdditionalVersionWeights": {"2": 0.1}}'

AWS Developer Reference:

Lambda Function Aliases

Weighted Traffic Routing with Lambda

:

https://docs.aws.amazon.com/lambda/latest/dg/nodejs-context.html

https://docs.aws.amazon.com/lambda/latest/dg/nodejs-logging.html

There is no explicit information for the runtime, the code is written in Node.js.

AWS Lambda is a service that lets developers run code without provisioning or managing servers.

The developer can use the AWS request ID field in the context object to obtain a unique identifier for

each function invocation. The developer can configure the application to write logs to standard

output, which will be captured by Amazon CloudWatch Logs. This solution will meet the requirement

of logging key events with a unique identifier.

Reference:

[What Is AWS Lambda? - AWS Lambda]

[AWS Lambda Function Handler in Node.js - AWS Lambda]

[Using Amazon CloudWatch - AWS Lambda]

:

Requirement Summary:

Store customer orders in DynamoDB

Must encrypt data at rest

Company wants to use a key it generates (i.e., customer managed key)

Evaluate Options:

A . Set encryption to None, manually encrypt/decrypt in code

❌ Overhead and error-prone

Also non-compliant with AWS encryption best practices

✅ B . Use customer managed KMS key

✅ Exactly meets the requirement: customer generates and controls the key

During table creation, you can specify a KMS CMK ARN

C . Default encryption + kms:Encrypt in SDK

❌ Misunderstanding: DynamoDB handles encryption automatically

You don’t need to call kms:Encrypt manually in SDK

D . Use AWS managed key

❌ Does not meet the requirement of using custom company-generated key

DynamoDB encryption:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

KMS customer managed keys:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

: