Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentica-tion token. Update the docker login command to use the authentication token to access the ECR repository.

This is the correct solution. The aws ecr get-login-password AWS CLI command retrieves and displays an authentication token that can be used to log in to an ECR repository. The docker login command can use this token as a password to authenticate with the ECR repository. This way, the CodeBuild project can push and pull images from the ECR repository without any errors. For more information, see Using Amazon ECR with the AWS CLI and get-login-password.

The constructs are TypeScript-based CDK libraries, so publishing production-qualified versions as npm packages is the clean release model. CodeArtifact is designed for storing and sharing software packages, including npm packages, and supports package version events. AWS documentation states that CodeArtifact creates EventBridge events when package versions are created, modified, or deleted, and AWS provides a pattern to start CodePipeline when a CodeArtifact package version changes. This satisfies semantic versioning and immediately triggers dependent application pipelines when a qualified release is published. Option A tracks a branch instead of production-qualified semantic releases. Option C introduces Git submodule overhead and delayed scheduled execution. Option D authenticates to CodeArtifact during builds but does not automatically notify or trigger all consuming application pipelines.

================

https://aws.amazon.com/caching/session-management/

AWS Health provides real-time events and information related to your AWS infrastructure. It can be integrated with Amazon EventBridge to act upon the health events automatically. If the maintenance notification from AWS Health indicates that an EC2 instance requires a restart, you can set up an EventBridge rule to respond to such events. In this case, the target of this rule would be a Lambda function that would trigger a Systems Manager automation to restart the EC2 instance during a maintenance window. Remember, AWS Health is the source of the events (not EC2 or Systems Manager), and AWS Lambda can be used to execute complex remediation tasks, such as scheduling maintenance tasks via Systems Manager.

The following are the steps involved in configuring the EventBridge rule to meet these requirements:

Configure an event source of AWS Health, a service of EC2, and an event type that indicates instance maintenance.

Target a newly created AWS Lambda function that registers an automation task to restart the EC2 instance during a maintenance window.

The AWS Lambda function will be triggered by the event from AWS Health. The function will then register an automation task to restart the EC2 instance during the next maintenance window.

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

Option A is incorrect because creating an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval is not a valid solution. EventBridge rules can only trigger Lambda functions based on events, not on time intervals. Moreover, querying the applications on a 5-minute interval might incur unnecessary costs and network overhead, and might not detect performance issues in real time.

Option B is correct because creating an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval is a valid solution. CloudWatch Synthetics canaries are configurable scripts that monitor endpoints and APIs by simulating customer behavior. Canaries can run as often as once per minute, and can measure the latency and availability of the applications. Canaries can also send notifications to an Amazon SNS topic when they detect errors or performance issues1.

Option C is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution. The RequestCountPerTarget metric measures the number of requests completed or connections made per target in a target group2. This metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports is not a valid way to measure the application performance, as it depends on the application design and implementation.

Option D is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution, for the same reason as option C. The RequestCountPerTarget metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports is not a valid way to measure the application performance, as it does not account for variability or outliers in the response time distribution.

Action-level states in events

Action state Description

STARTED The action is currently running.

SUCCEEDED The action was completed successfully.

FAILED For Approval actions, the FAILED state means the action was either rejected by the reviewer or failed due to an incorrect action configuration.

CANCELED The action was canceled because the pipeline structure was updated.

The requirement is to immediately detect and terminate EC2 instances involved in cryptocurrency mining with the least development effort. Amazon GuardDuty is the AWS-native service specifically designed to detect malicious activities such as crypto-mining by continuously analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty includes managed threat intelligence and predefined findings like CryptoCurrency:EC2/BitcoinTool.B!DNS and CryptoCurrency:EC2/BitcoinTool.B!IP, which directly identify mining behavior without custom detection logic.

Option C leverages this built-in capability. Once GuardDuty is enabled, findings are automatically generated when mining activity is detected. These findings are sent to Amazon EventBridge in near real time. An EventBridge rule can filter for cryptocurrency-related findings and trigger an AWS Lambda function . The Lambda function can then identify the affected EC2 instance and terminate it or adjust the Auto Scaling group to replace it. This approach requires minimal custom code and no log parsing, scheduled jobs, or analytics pipelines.

Options A and B rely on custom log analysis, periodic execution, and maintaining lists of mining domains or IPs, which significantly increases complexity and response time. Option D uses AWS Security Hub, which aggregates findings from GuardDuty and other services but is not intended for immediate, low-latency remediation.

Therefore, Option C provides the fastest detection, immediate response, and lowest development overhead using AWS-managed threat detection services.

The company requires an organization-wide, centralized, and automated solution to detect sensitive data in Amazon S3, aggregate findings in one location, and quarantine affected objects with minimal operational overhead. AWS provides a native service specifically designed for this purpose: Amazon Macie .

Option A is essential because Amazon Macie automatically discovers and classifies sensitive data such as PII in S3 buckets using managed machine learning models. When enabled at the organization level , Macie scans buckets across all accounts and Regions. Integrating Macie with AWS Security Hub centralizes all findings in a single dashboard, allowing the company’s security officer to review and manage sensitive data alerts across the organization without building custom aggregation pipelines.

Detection alone is not sufficient; remediation is also required. Option C completes the solution by using Amazon EventBridge , which natively receives Macie findings in near real time. An EventBridge rule can trigger a Lambda function whenever Macie identifies sensitive data. The Lambda function can then copy the affected object to a quarantine S3 bucket and delete the original object, meeting the remediation requirement automatically and consistently.

Option D requires custom sensitive data detection logic, which is complex, error-prone, and unnecessary given Macie’s capabilities. Option E is invalid because SCPs cannot inspect or move data. Option B does not detect sensitive information.

Therefore, A and C together provide the most efficient, scalable, and AWS-recommended solution.

https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html

AWS doc: " To specify parallel actions, use the same integer for each action you want to run in parallel. For example, if you want three actions to run in sequence in a stage, you would give the first action the runOrder value of 1, the second action the runOrder value of 2, and the third the runOrder value of 3. However, if you want the second and third actions to run in parallel, you would give the first action the runOrder value of 1 and both the second and third actions the runOrder value of 2. "