The number of AWS Trusted Advisor checks available to an account depends on the AWS Support plan associated with the account. The Basic and Developer support plans provide access to a limited set of Trusted Advisor checks, primarily focused on security and service limits.

The Business and Enterprise support plans provide full access to all Trusted Advisor checks, including cost optimization, performance, fault tolerance, and security categories.

Running EC2 instances, SCPs, or MFA settings do not affect the availability of Trusted Advisor checks.

Therefore, the AWS Support plan determines the quantity of available Trusted Advisor checks.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.

According to the AWS Cloud Operations and Auto Scaling documentation, scaling applications that consume Amazon SQS messages should be driven by queue backlog per instance, not by general system metrics such as network traffic or CPU.

The correct approach is to calculate a custom metric using CloudWatch metric math that divides the SQS metric ApproximateNumberOfMessagesVisible by the number of active EC2 instances in the Auto Scaling group. This “backlog per instance” value represents the average number of messages waiting to be processed by each instance.

Then, the CloudOps engineer can create a target tracking policy that automatically scales out or in based on maintaining a desired backlog threshold. This approach ensures dynamic, workload-driven scaling behavior that reacts in near real time to message volume.

Step and simple scaling (Options C and D) require manual thresholds and do not automatically balance the load per instance.

Thus, Option B—using CloudWatch metric math to define queue backlog per instance for target tracking—is the most effective and AWS-recommended CloudOps practice.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is to fix performance degradation from predictable peak CPU load without service disruptions. The most reliable and operationally standard approach is horizontal scaling with an Auto Scaling group driven by CloudWatch metrics/alarms (or target tracking). Launching additional instances and distributing traffic (typically behind a load balancer) increases capacity while keeping existing instances serving requests—no reboot or stop/start required.

Option D meets the requirement because Auto Scaling can add capacity when CPU exceeds a threshold and remove capacity when demand falls. This improves performance during peak periods and maintains availability. It is also operationally efficient: scaling actions are automated, consistent, and can be tuned with cooldowns/health checks.

Options A and C describe vertical scaling (instance resize). Resizing an EC2 instance type generally requires stopping the instance, changing the type, and starting it again—this is disruptive for a single-instance web server and often causes downtime. Option B (restarting the application) directly introduces disruption and does not address underlying capacity constraints; it can also worsen customer impact during peaks.

CloudWatch Logs data protection provides native redaction/masking of sensitive data at ingestion and query. AWS documentation states it can “detect and protect sensitive data in logs” using data identifiers, and that authorized users can “use the unmask action to view the original data.” Creating a data protection policy on the log group masks PII by default for all viewers, satisfying the requirement to redact personal information. Granting only the security team permission to invoke the unmask API operation ensures that unredacted content is restricted. Option B (KMS) encrypts at rest but does not redact fields; encryption alone does not prevent plaintext visibility to authorized readers. Options A and D add complexity and latency, move data out of CloudWatch, and do not provide default inline redaction/unmask controls in CloudWatch itself. Therefore, the CloudOps-aligned, managed solution is to use CloudWatch Logs data protection with appropriate data identifiers and unmask permissions limited to the security team.

Layer 7 (application-layer) HTTP status codes such as 200, 404, and 500 are generated by web-facing services that process HTTP requests. In this architecture, both CloudFront and the Application Load Balancer (ALB) operate at Layer 7 and record HTTP response information in their access logs.

ALB access logs include detailed request and response data such as client IP address, request path, target response status code, and latency. These logs are essential for analyzing how backend EC2 instances respond to client requests.

CloudFront access logs record viewer requests and responses at the edge locations. These logs also include HTTP status codes returned to the client, making them critical for understanding end-user experience and edge-level behavior.

VPC Flow Logs capture network-level (Layer 3 and 4) traffic metadata such as source IP, destination IP, ports, and protocol. They do not contain HTTP status codes. AWS CloudTrail logs API calls to AWS services and does not capture application response codes. RDS logs contain database-related information, not HTTP responses.

Therefore, the correct sources for HTTP Layer 7 status codes are ALB access logs and CloudFront access logs.