Amazon Web Services SAP-C02 AWS Certified Solutions Architect - Professional Exam Practice Test

C is correct because the root cause is synchronous chaining of Lambda functions that causes the initial function to wait and time out. AWS Step Functions is designed to orchestrate multiple steps (including Lambda invocations) with managed state, retries, and timeouts at the workflow level. By moving the chaining logic into a Step Functions state machine and removing direct function-to-function invocations, the initial Lambda no longer needs to remain running while waiting for downstream functions. Step Functions can coordinate the sequence (or parallel branches), handle transient failures with retries/backoff, and maintain execution state without requiring a long-lived “waiting” Lambda invocation. This resolves timeouts while preserving the operational and cost advantages of a serverless Lambda-based architecture and typically requires minimal code change compared to rewriting or migrating platforms.

Why the other options are incorrect:

A: Migrating to containers/EKS is a major architectural change and increases operational overhead, violating “minimum application changes” and the desire to keep Lambda benefits.

B: Rewriting in Java is extensive and unnecessary. Adding SQS between functions changes invocation style and error handling and still requires significant redesign (and does not inherently solve orchestration/branching as cleanly as Step Functions).

D: Grouping functions into containers and running on ECS Spot changes the compute model and introduces more operational overhead and larger application changes than adopting Step Functions.

C is correct because it converts the single–Availability Zone, single-EC2-instance ECS design into a managed, multi-AZ, self-healing architecture with minimal day-to-day operations. The current design has multiple single points of failure: one EC2 instance for ECS capacity and one Availability Zone for all components. Moving the ECS service to AWS Fargate removes the need to manage EC2 instances (capacity provisioning, patching, and scaling of the container instances) and allows the service to run tasks across multiple Availability Zones for higher availability. On the database side, modifying Aurora PostgreSQL to a Multi-AZ DB cluster (by adding a replica in another AZ) increases availability and supports faster recovery from an AZ failure with AWS-managed failover.

Why the other options are less suitable:

A: Making Aurora Multi-AZ improves database availability, but it does not address the compute layer’s biggest issue: ECS is on a single EC2 instance in one AZ with no auto scaling. RDS Proxy can help with connection management, but it does not fix the application’s single-AZ ECS single-instance availability risk.

B: Cross-Region read replicas and manual failover scripts increase operational burden. Also, it keeps ECS on EC2 (still requires instance management) and introduces a manual failover process, which is the opposite of “least operational overhead.”

D: Multi-Region active-active plus Aurora global database can deliver very high availability, but it adds significant complexity (multi-Region deployment, routing strategy, global database considerations, operational procedures). That is higher operational overhead than a straightforward multi-AZ design using managed services.

Migrate to Amazon Aurora:

Amazon Aurora is a MySQL-compatible, high-performance database designed to provide higher throughput than standard MySQL. Migrating the database to Aurora will enhance the performance and scalability of the database, especially under heavy workloads.

Add Aurora Replica:

Aurora Replicas provide read scalability and improve availability. Adding an Aurora Replica allows read operations to be distributed, thereby reducing the load on the primary instance and improving response times during peak periods.

Configure Amazon RDS Proxy:

Amazon RDS Proxy acts as an intermediary between the application and the Aurora database, managing connection pools efficiently. RDS Proxy reduces the overhead ofopening and closing database connections, thus maintaining fewer active connections to the database and handling surges in database connections from the Lambda functions more effectively.

This configuration reduces the database ' s resource usage and improves its ability to handle high volumes of concurrent connections.

References

AWS Database Blog on RDS Proxy​(Amazon Web Services, Inc.)​.

AWS Compute Blog on Using RDS Proxy with Lambda​(Amazon Web Services, Inc.)​.

The correct approach involves activating the BusinessUnit cost allocation tag in the management account to ensure costs are tagged consistently across the organization.

The AWS Cost and Usage Report (CUR), delivered to a single Amazon S3 bucket in the management account, consolidates cost and usage data across all member accounts.

Amazon Athena can efficiently query the CUR data directly from S3, while Amazon QuickSight can be used to create interactive dashboards and reports that visualize the cost allocation by business unit.

This solution minimizes complexity, centralizes reporting, and leverages AWS native services for the best cost optimization and insights.

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ by Cloudxie says " select appropriate log "

The correct answer is A.

A. This solution meets the requirements because it allows the company to create different usage plans for each customer, with different request quotas and time periods. The usage plans can be associated with API keys, which can be distributed to the users of each customer. The API Gateway REST API can invoke the Lambda function using a proxy integration, which passes the request data to the function as input and returns the function output as the response.This solution is scalable, secure, and cost-effective12

B. This solution is incorrect because API Gateway HTTP APIs do not support usage plans or API keys.These features are only available for REST APIs3

C. This solution is incorrect because it does not provide a way to enforce request quotas for each customer. Lambda function aliases can be used to create different versions of the function, but they do not have any quota mechanism.Moreover, this solution exposes the Lambda function URLs directly to the customers, which is not secure or recommended4

D. This solution is incorrect because it does not provide a way to differentiate between customers or users. AWS WAF rate-based rules can be used to limit requests based on IP addresses, but they do not support any other criteria such as user agents or headers.Moreover, this solution adds unnecessary complexity and cost by using an ALB and a VPC56

https://docs.aws.amazon.com/firehose/latest/dev/creating-the-stream-to-splunk.html

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

Option A, Deploy the security tool on EC2 instances in a new Auto Scaling group in the existing VPC, allows the company to use its existing security tool while still running it within the AWS environment. This ensures that all packets coming in and out of the VPC are inspected by the security tool in real time. Option D, Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool, allows for high availability within an AWS Region. By provisioning a Gateway Load Balancer for each Availability Zone, the traffic is redirected to the security tool in the event of any failures or outages. This ensures that the security tool is always available to inspect the traffic, even in the event of a failure.

Dis correct:Aurora PostgreSQLis afully managed, high-availabilitydatabase engine.

UseAWS DMSto migrate data andAWS Schema Conversion Tool (SCT)to convert stored procedures from Oracle to Aurora-compatible code.

This meets the requirements ofminimal downtime,managed services, andstored procedure support.

Ais not valid—RDS doesn’t allow custom S3 integration for storage.

Binvolves EC2, which violates the “managed services” constraint.

Crequires complete rewrite of the application logic, which contradicts the minimal downtime requirement.

This option uses different types of savings plans and reserved nodes to minimize the company’s overall monthly costs for running its application on EC2 instances, Lambda functions, and MemoryDB cache nodes. Savings plans are flexible pricing models that offer significant savings on AWS usage (up to 72%) in exchange for a commitment of a consistent amount of usage (measured in $/hour) for a one-year or three-year term. There are two types of savings plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans apply to any compute usage across EC2 instances, Fargate containers, Lambda functions, SageMaker notebooks, and ECS tasks. EC2 Instance Savings Plans apply to a specific instance family within a region and provide more savings than Compute Savings Plans (up to 66% versus up to 54%). Reserved nodes are similar to savings plans but apply only to MemoryDB cache nodes. They offer up to 55% savings compared to on-demand pricing.

Log Tenant ID and RCUs/WCUs:

Update the AWS Lambda functions to log the tenant ID and the number of Read Capacity Units (RCUs) and Write Capacity Units (WCUs) consumed from DynamoDB for each transaction.This data will be logged to Amazon CloudWatch Logs.

Calculate Tenant Costs:

Deploy an additional Lambda function that reads the logs from CloudWatch Logs, calculates the RCUs and WCUs used by each tenant, and then uses the AWS Cost Explorer API to retrieve the overall cost of DynamoDB usage. This function will then allocate the costs to each tenant based on their usage.

Scheduled Cost Calculation:

Create an Amazon EventBridge rule to trigger the cost calculation Lambda function at regular intervals (e.g., daily or hourly). This ensures that cost allocation is continuously updated and tenants are billed accurately based on their consumption.

This solution minimizes operational effort by automating the cost allocation process and ensuring that the company can accurately bill tenants based on their resource consumption.

References

AWS Cost Explorer Documentation

Amazon CloudWatch Logs Documentation

AWS Lambda Documentation

Using Mountpoint for Amazon S3 to directly mount the S3 bucket to the EC2 instances ensures that the latest version of the pricing file is always available without repeatedly downloading it to each instance.

This eliminates stale data issues and minimizes data transfer costs since the file does not need to be copied each time an instance launches.

This solution is cost-effective and aligns with AWS best practices for accessing frequently updated shared files directly from S3.

Comprehensive and Detailed Explanation:

This question is testing the correct load balancing design for a stateful web application that:

runs on multiple EC2 instances,

must scale horizontally,

uses browser cookies for session management,

requires session affinity.

The correct solution is to place the EC2 instances in an Auto Scaling group behind an Application Load Balancer and enable sticky sessions on the target group. This allows the application to scale out across multiple instances while ensuring that repeat requests from the same client are routed to the same target for the duration of the stickiness configuration.

Why C is correct

An Application Load Balancer is designed for Layer 7 HTTP/HTTPS traffic, which is exactly what a browser-based web application uses. Because the application uses cookies and requires session affinity, ALB is the correct AWS service since it supports sticky sessions for target groups. The EC2 instances can be placed in an Auto Scaling group so the application can add or remove instances as demand changes. This directly satisfies the horizontal scaling requirement.

ALB also integrates natively with Auto Scaling groups, health checks, and target groups. For web applications that rely on session persistence, ALB stickiness is the standard design choice. The application is third-party, so changing the application to externalize sessions may not be possible. Therefore, keeping requests bound to the same backend instance is the appropriate architecture.

Why A is incorrect

Route 53 does not provide cookie-based session affinity to specific EC2 instances. Multivalue answer routing can return multiple healthy records, but it is a DNS-level mechanism, not an HTTP session persistence mechanism. Route 53 Resolver rules also do not inspect browser cookies and do not ensure that a given cookie value maps consistently to one EC2 instance.

In addition, exposing each EC2 instance with a public IP is not the right scalable architecture for a horizontally scaled web application. This option lacks proper load balancer behavior and does not provide real application-layer stickiness.

Why B is incorrect

CloudFront cannot use an Auto Scaling group directly as an origin. CloudFront origins are typically an Application Load Balancer, Network Load Balancer, S3 bucket, custom HTTP origin, or similar endpoint. An Auto Scaling group itself is not a valid origin endpoint for CloudFront.

Also, CloudFront Functions are used for lightweight request and response manipulation at the edge. They are not the correct mechanism to implement instance-level session affinity for a fleet of EC2 instances. Even if cookies are forwarded, CloudFront is not the service that should manage sticky routing among application servers. That role belongs to the load balancer.

Why D is incorrect

Gateway Load Balancer is designed for deploying, scaling, and managing third-party virtual appliances such as firewalls, IDS, and deep packet inspection systems. It is not intended to front standard web applications for browser traffic.

Flow stickiness on GWLB is not the same as HTTP cookie-based session affinity for a web application. GWLB operates for appliance insertion use cases, not for traditional user-facing web application request distribution. Therefore, it does not meet the application requirement appropriately.

The company should deploy a new Amazon Elastic File System (Amazon EFS) Multi-AZ file system. The company should configure the file system for 75 MiBps of provisioned throughput. The company should implement replication to a file system in the DR Region. This solution will meet the requirements because Amazon EFS is a serverless, fully elastic file storage service that lets you share file data without provisioning or managing storage capacity and performance. Amazon EFS is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files1. By deploying a new Amazon EFS Multi-AZ file system, the company can create a single location for updates to application data for all instances. A Multi-AZ file system replicates data across multiple Availability Zones (AZs) within a Region, providing high availability and durability2. By configuring the file system for 75 MiBps of provisioned throughput, the company can ensure that it meets the peak operations requirement of 225 MiBps of read throughput. Provisioned throughput is a feature that enables you to specify a level of throughput that the file system can drive independent of the file system’s size or burst credit balance3. By implementing replication to a file system in the DR Region, the company can make a copy of the data available in another AWS Region for disaster recovery. Replication is a feature that enables you to replicate data from one EFS file system to another EFS file system across AWS Regions. The replication process has an RPO of less than 1 hour.

The other options are not correct because:

Deploying a new Amazon FSx for Lustre file system would not provide a single location for updates to application data for all instances. Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance storage for compute workloads. However, it does not support concurrent write access from multiple instances. Using AWS Backup to back up the file system to the DR Region would not provide real-time replication of data. AWS Backup is a service that enables you to centralize and automate data protection across AWS services. However, it does not support continuous data replication or cross-Region disaster recovery.

Deploying a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume with 225 MiBps of throughput would not provide a single location for updates to application data for all instances. Amazon EBS is a service that provides persistent block storage volumes for use with Amazon EC2 instances. However, it does not support concurrent access from multiple instances, unless Multi-Attach is enabled. Enabling Multi-Attach for the EBS volume would not provide Multi-AZ resilience or cross-Region replication. Multi-Attach is a feature that enables you to attach an EBS volume to multiple EC2 instances within the same Availability Zone. Using AWS Elastic Disaster Recovery to replicate the EBS volume to the DR Region would not provide real-time replication of data. AWS Elastic Disaster Recovery (AWS DRS) is a service that enables you to orchestrate and automate disaster recovery workflows across AWS Regions. However, it does not support continuous data replication or sub-hour RPOs.

Deploying an Amazon FSx for OpenZFS file system in both the production Region and the DR Region would not be as simple or cost-effective as using Amazon EFS. Amazon FSx for OpenZFS is a fully managed service that provides high-performance storage with strong data consistency and advanced data management features for Linux workloads. However, it requires more configuration and management than Amazon EFS, which is serverless and fully elastic. Creating an AWS DataSync scheduled task to replicate the data from the production file system to the DR file system every 10 minutes would not provide real-time replication of data. AWS DataSync is a service that enables you to transfer data between on-premises storage and AWS services, or between AWS services. However, it does not support continuous data replication or sub-minute RPOs.

By splitting the 12 instances across three Availability Zones, the system can maintain high availability and availability of resources in case of a failure. Option D also uses a combination of On-Demand Instances with Capacity Reservations and Spot Instances, which allows for scheduled jobs to be run on the On-Demand instances with guaranteed capacity, while also taking advantage of the cost savings from Spot Instances for the user jobs which have lower SLA requirements.

The requirement is to reduce application latency for a globally distributed user base, with users primarily in the United States but increasing usage in Europe and the Middle East. The application is read-heavy and uses Amazon DynamoDB as its data store. Reducing latency for global users requires placing both the application compute and the data closer to users in each Region.

Option D uses the correct multi-Region architecture. Deploying the application to multiple AWS Regions places Amazon EKS workloads closer to end users. Converting the DynamoDB table to a global table creates fully managed, multi-Region replicas of the data with low-latency replication. This allows reads to be served locally from the nearest DynamoDB replica, significantly reducing read latency for users outside the primary Region. Because the workload is read-heavy, this design is particularly effective.

Route 53 geolocation routing directs users to the Region closest to them based on their geographic location. Combined with health checks and Evaluate Target Health, this ensures users are routed to the nearest healthy Region, improving both latency and availability.

Option A is incorrect because global secondary indexes do not replicate data across Regions. GSIs operate within a single Region and are used to support alternative query patterns, not global data distribution. Additionally, Route 53 failover routing is designed for disaster recovery, not for performance optimization or global load balancing.

Option B uses DynamoDB Accelerator (DAX), which improves read latency by caching data in memory, but DAX is Region-specific and does not reduce cross-Region network latency for users in Europe and the Middle East accessing a US-based application. It also does not address application-level latency caused by distance to the EKS cluster.

Option C is not valid because DynamoDB does not support read replicas in the same way relational databases do. DynamoDB replication for latency and global access is achieved through global tables, not through read replicas in a single Region. CloudFront can reduce latency for static or cacheable HTTP content, but it does not solve backend application latency or DynamoDB access latency for dynamic, read-heavy requests.

Therefore, deploying the application and DynamoDB as global tables across Regions and using Route 53 geolocation routing is the correct solution to minimize latency for all global users.

Create an S3 Bucket:

Log in to the AWS Management Console and navigate to Amazon S3.

Create a new S3 bucket that will serve as the destination for the application data.

Deploy AWS Storage Gateway:

Download and deploy the AWS Storage Gateway virtual machine (VM) on your on-premises environment. This VM can be deployed on VMware ESXi, Microsoft Hyper-V, or Linux KVM.

Configure the File Gateway:

Configure the deployed Storage Gateway as a file gateway. This will enable it to present Amazon S3 buckets as SMB file shares to your on-premises applications.

Create a New File Share:

Within the Storage Gateway configuration, create a new file share that is associated with the S3 bucket you created earlier. This file share will use the SMB protocol, allowing your on-premises applications to access the S3 bucket as if it were a local SMB file share.

Copy Data to the File Gateway:

Use your preferred method (such as robocopy, rsync, or similar tools) to copy data from the on-premises storage to the newly created file gateway endpoint. This data will be stored in the S3 bucket, maintaining accessibility through SMB.

Ensure Secure and Efficient Data Transfer:

AWS Storage Gateway ensures that all data in transit is encrypted using TLS, providing secure data transfer to AWS. It also provides local caching for frequently accessed data, improving access performance for on-premises applications.

This approach allows your existing on-premises applications to continue accessing data via SMB while leveraging the scalability and durability of Amazon S3.

References

AWS Storage Gateway Overview【67】.

AWS DataSync and Storage Gateway Hybrid Architecture【66】.

AWS S3 File Gateway Details【68】.

https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.alb-accelerator.html Option A is wrong. AWS WAF does not support associating with NLB. https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html Option B is wrong. An ALB does not support an Elastic IP address.https://aws.amazon.com/elasticloadbalancing/features/

Comprehensive and Detailed Explanation:

This question tests knowledge of private access patterns to Amazon S3 from:

resources inside a VPC, and

users in an on-premises environment connected through Site-to-Site VPN.

The correct answer is B because the company has two different traffic sources with different endpoint requirements.

Why B is correct

For the EC2 instance inside the private VPC:

An S3 gateway endpoint is the standard and most cost-effective method for private access from resources in the VPC to Amazon S3. With a gateway endpoint, traffic from the VPC to S3 stays on the AWS network and does not require a NAT gateway or internet gateway. This satisfies the requirement to remove the NAT gateways for the application’s S3 access.

For the on-premises users over the Site-to-Site VPN:

Gateway endpoints are for use within the VPC and are not accessed from on-premises networks over VPN or Direct Connect. To allow on-premises clients to access S3 privately through the VPC, the architecture needs an S3 interface endpoint with private DNS enabled. Interface endpoints create elastic network interfaces in the VPC and can be reached privately from connected on-premises environments, assuming routing and DNS are configured correctly.

Therefore, the combination is required:

S3 gateway endpoint for VPC resources

S3 interface endpoint with private DNS for on-premises access through VPN

This design allows both the EC2 application and on-premises users to access S3 without using the public internet.

Why A is incorrect

An S3 gateway endpoint works for VPC resources, but it does not provide private access for on-premises users over Site-to-Site VPN. On-premises networks cannot route directly to a gateway endpoint in the way described. That makes A incomplete and incorrect.

Why C is incorrect

Mountpoint for Amazon S3 is a way to mount an S3 bucket for file-like access from an EC2 instance or similar compute environment. It does not solve the connectivity requirement for on-premises users, and it does not address the broader network design requirement of private S3 access without NAT gateways for all stated users. It also does not replace the need for appropriate VPC endpoint architecture.

Why D is incorrect

Storage Browser for S3 is not the solution to provide private network connectivity for an application and on-premises users. It is unrelated to the core architecture requirement. The question is asking about private access paths to S3, not a user interface or client-side browser tool.

Key design principle being tested

This question checks whether you know the distinction between:

S3 gateway endpoints for traffic originating from within the VPC

S3 interface endpoints for private access from on-premises environments over hybrid connectivity

It also tests whether you understand that removing NAT gateways is possible for S3 access from private subnets when a VPC endpoint is used.

Final justification

Because the company needs:

private S3 access from an EC2 instance in a private VPC, and

private S3 access from on-premises users over VPN,

while removing NAT gateways,

the correct design is to use:

an S3 gateway endpoint for the VPC application, and

an S3 interface endpoint with private DNS for the on-premises users.

That makes B the best answer.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html Clearly says we need following header for SSE-C x-amz-server-side​-encryption​-customer-algorithm Use this header to specify the encryption algorithm. The header value must be AES256.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

Create a Network Load Balancer (NLB) and expose the assigned TCP port. Assign the Elastic IP addresses to the NLB for each Availability Zone. Create a target group and register the EC2 instances with the NLB. Create a new A (alias) record set named my.service.com, and assign the NLB DNS name to the record set. As it uses the NLB as the resource in the A-record, traffic will be routed through the NLB, and it will automatically route the traffic to the healthy instances based on the health checks and also it provides the fixed address assignments as the other companies can add the NLB ' s Elastic IP addresses to their allow lists.

All features – The default feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. For example, when all features are enabled the management account of the organization has full control over what member accounts can do. The management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access.https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

" The AWS WAF API supports security automation such as blacklisting IP addresses thatexceed request limits, which can be useful for mitigating HTTP flood attacks. " > https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/

The best combination is A, D, and E because it replaces self-managed components with managed AWS services. AWS IoT Core is purpose-built for MQTT-based device communication, and IoT rules can invoke Lambda functions when messages arrive, allowing serverless processing of device data. Amazon DocumentDB is compatible with MongoDB workloads and removes the operational burden of running MongoDB clusters on EC2. For report generation, AWS Step Functions can orchestrate Lambda tasks, and the reports can be written to Amazon S3 and served publicly through CloudFront. The job duration of 120–600 seconds fits within Lambda’s 15-minute maximum invocation timeout. EKS and EC2-based MongoDB would increase operational overhead, while having Lambda poll IoT devices directly is a poor design compared with device publishing through AWS IoT Core. (AWS Documentation)

===============

Turning on S3 server-side encryption for the S3 bucket that the web application uses will enable encrypting the data at rest using Amazon S3 managed keys (SSE-S3)1. Creating a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses will enable enforcing encryption for all requests to the bucket2. Configuring redirection of HTTP requests to HTTPS requests in CloudFront will enable encrypting the data in transit using SSL/TLS3.

The correct answer is B. This option uses IAM Identity Center to create permission sets that map to the existing IAM roles in each account. This way, the company can leverage the existing policies and roles that are already configured for the expected activities of each group of users in each account. The company also needs to create a customer managed policy that allows the group to assume the roles and attach it to thepermission set. This policy grants the necessary permissions for IAM Identity Center to assume the roles on behalf of the users. Finally, the company can assign user access to the AWS accounts in IAM Identity Center, which will automatically create IAM users and groups in each account based on the permission sets.

Option A is incorrect because it requires creating new policies in each account and giving them the same name. This is not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option C is incorrect because it requires creating new policies in each account and giving them unique names. This is also not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option D is incorrect because it requires adding the OU to the accounts configuration in IAM Identity Center. This is not supported by IAM Identity Center, which only allows adding individual accounts or all accounts in an organization.

Migrating the containers that run the application to AWS Fargate for Amazon Elastic Container Service (Amazon ECS) will meet the requirement of not administering the Docker hosting environment. AWS Fargate is a serverless compute engine that runs containerswithout requiring any infrastructure management3. Creating an Amazon Elastic File System (Amazon EFS) file system and adding a volume to the Fargate task definition to point to the EFS file system will meet the requirement of low-latency storage that will automatically scale throughput to meet increased demand. Amazon EFS is a fully managed file system service that provides shared access to data from multiple containers, supports NFSv4 protocol, and offers consistent performance and high availability4. Amazon EFS also supports automatic scaling of throughput based on the amount of data stored in the file system5.

Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.htmlhttps://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#:~:text=aws%20ssm%20start%2Dsession%20%2D%2Dtarget%20instance%2Did

Amazon EC2 Spot Instances offer spare compute capacity at steep discounts compared to On-Demand prices. Spot Instances can be interrupted by EC2 with two minutes of notification when EC2 needs the capacity back. Amazon EMR can handle Spot interruptions gracefully by decommissioning the nodes and redistributing the tasks to other nodes. By launching all nodes on Spot Instances in an instance fleet, the solutions architect can minimize the compute costs of the EMR cluster. An instance fleet is a collection of EC2 instances with different types and sizes that EMR automatically provisions to meet a defined target capacity. By terminating the cluster when the processing is completed, the solutions architect can avoid paying for idle resources. References:

https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-scaling.html

https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-instance-fleet.html

https://aws.amazon.com/blogs/big-data/optimizing-amazon-emr-for-resilience-and-cost-with-capacity-optimized-spot-instances/

https://aws.amazon.com/blogs/mt/self-service-vpcs-in-aws-control-tower-using-aws-service-catalog/

https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.htmlhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayattachment.html

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

https://docs.aws.amazon.com/cur/latest/userguide/billing-cur-limits.html

The requirement is to allow each OU (which contains multiple accounts) to view a cost breakdown across its accounts. In an AWS Organizations setup with consolidated billing, the management account is the central place where organization-level cost and usage reporting is configured and aggregated. The Cost and Usage Report is designed to produce the most detailed cost and usage dataset, and it can include charges for linked (member) accounts. A single CUR created from the management account can include all accounts in the organization, and then filtering can be applied to show cost breakdowns per OU or per team.

Once the CUR is delivered to Amazon S3, analytics tools such as Amazon Athena and Amazon QuickSight can be used to create dashboards. Teams can be provided access to the dataset or curated views and can filter by linked account, tags, and other dimensions. With appropriate cost allocation tags and organizational mapping (for example, account-to-OU mapping maintained in reporting logic), each OU can see its consolidated view.

Option B meets the requirements because it creates one CUR centrally from the management account and uses QuickSight for visualization. This approach is scalable for hundreds of accounts and avoids duplicating CUR configuration in each member account.

Option A is incorrect because AWS Resource Access Manager is not used to create CURs per OU. CUR is not an OU-scoped resource created via RAM.

Option C is not operationally efficient because it requires creating and managing CURs in each member account, producing fragmented datasets and significantly increasing overhead at hundreds of accounts. It also makes it harder to generate a single view per OU across accounts.

Option D is incorrect because Systems Manager does not create CURs, and OpsCenter dashboards are not the standard tool for cost and usage reporting.

Therefore, a centrally created CUR in the management account with QuickSight visualization is the correct solution.

https://aws.amazon.com/blogs/architecture/create-dynamic-contact-forms-for-s3-static-websites-using-aws-lambda-amazon-api-gateway-and-amazon-ses/

This option allows the company to use AWS Client VPN to enable secure and private access to the Amazon ES cluster from any location1. By configuring and setting up an AWS Client VPN endpoint, the company can create a secure tunnel between the developers’ devices and the VPC2. By associating the Client VPN endpoint with a subnet in the VPC, the company can ensure that the trafficfrom the developers’ devices is routed to the Amazon ES cluster within the VPC3. By configuring a Client VPN self-service portal, the company can enable the developers to download and install the client for Client VPN, which is based on OpenVPN4. By instructing the developers to connect by using the client for Client VPN, the company can allow them to access Amazon ES to analyze and visualize logs directly from their local development machines.

What is AWS Client VPN?

Creating a Client VPN endpoint

Associating a target network with a Client VPN endpoint

Configuring a self-service portal

A. High performance computing (HPC) workload cluster should be in a single AZ.

C. Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instances to accelerate High Performance Computing (HPC)

F. Amazon FSx for Lustre - Use it for workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling.

Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

CloudFormation cannot delete an S3 bucket that contains objects. When the developers attempt to delete temporary stacks, the delete operation fails if the associated S3 bucket still has objects. Because the bucket name is derived from the stack name, failed deletions can also prevent re-creation of stacks with the same names until the bucket is manually emptied and deleted. This causes friction for development and continuous integration workflows.

To resolve this, the solution must ensure that, during stack deletion, all objects are removed from the S3 bucket so that CloudFormation can delete the bucket successfully. CloudFormation does not natively support automatic deletion of bucket contents. However, CloudFormation custom resources can be used to perform custom actions during stack lifecycle events.

Option A proposes associating a Lambda function with a CloudFormation custom resource. The custom resource can be invoked during stack deletion to list and delete all objects (and object versions if versioning is enabled) in the specified bucket. Once the bucket is emptied by the Lambda function, the standard CloudFormation deletion process can successfully delete the bucket resource.

In addition to emptying the bucket, the IAM role used by CloudFormation must have permissions to delete objects in the bucket. If CloudFormation uses an execution role that lacks s3:DeleteObject (and potentially s3:ListBucket) permissions, the bucket-cleanup Lambda function or CloudFormation itself would not be able to remove objects. Option D ensures that CloudFormation operations are invoked by a role that has s3:DeleteObject permissions on bucket objects, enabling the custom resource to perform the deletions.

Option B is incorrect because, although DeletionPolicy can be set to Delete, there is no such capability as CAPABILITY_DELETE_NONEMPTY in CloudFormation, and DeletionPolicy alone does not override the S3 service requirement that buckets must be empty before deletion.

Option C’s Retain DeletionPolicy leaves the bucket behind when the stack is deleted. While an external AWS Config rule could clean up stale buckets, it complicates the design and does not directly solve the problem of re-creating stacks with the same bucket name in a predictable, immediate way.

Option E configures a bucket policy to grant s3:DeleteObject permissions, but this is not sufficient alone. CloudFormation still must assume a role with the appropriate permissions. Bucket policy and IAM role permissions must both be considered, but the key action to resolve the deletion failure is to explicitly empty the bucket through a custom resource, as in option A, and ensure the execution role has delete permissions, as in option D.

Therefore, implementing a Lambda-backed custom resource to empty the S3 bucket during stack deletion (option A) and ensuring the CloudFormation execution role has s3:DeleteObject permissions (option D) resolves the deletion errors and allows developers to delete and recreate stacks freely.

https://aws.amazon.com/getting-started/hands-on/move-to-managed/migrate-mongodb-to-documentdb/

https://aws.amazon.com/es/blogs/industries/how-to-monitor-alert-and-remediate-non-compliant-hipaa-findings-on-aws/

The correct answers are A and C. Cross-Region Replication requires an S3 replication rule from the source bucket to the destination bucket, and S3 Versioning must be enabled, which the question already states. Because the business requires availability in the second Region within 15 minutes, ordinary replication is not sufficient by itself. S3 Replication Time Control is designed for this type of compliance requirement and provides replication metrics and event notifications. AWS documentation specifically identifies OperationMissedThreshold as the event that notifies the bucket owner when an object eligible for S3 RTC replication exceeds the 15-minute threshold. DataSync is not the best fit for continuous object replication with a 15-minute compliance notification requirement. Transfer Acceleration improves upload performance to S3, not replication SLA tracking. (AWS Documentation)

===============

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-connection-fails/

Using an Amazon S3 bucket

Using a MediaStore container or a MediaPackage channel

Using an Application Load Balancer

Using a Lambda function URL

Using Amazon EC2 (or another custom origin)

Using CloudFront origin groups

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

The company should use AWS Amplify to create a static website for uploads of media files. The company should use Amplify Hosting to serve the website through Amazon CloudFront. The company should use Amazon S3 to store the uploaded media files. The company should use Amazon Cognito to authenticate users. This solution will meet the requirements with the least operational overhead because AWS Amplify is a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as use cases evolve. No cloud expertise needed1. By using AWS Amplify, the company can refactor the application to a serverless architecture that reduces operational complexity and costs. AWS Amplify offers the following features and benefits:

Amplify Studio: A visual interface that enables you to build and deploy a full-stack app quickly, including frontend UI and backend.

Amplify CLI: A local toolchain that enables you to configure and manage an app backend with just a few commands.

Amplify Libraries: Open-source client libraries that enable you to build cloud-powered mobile and web apps.

Amplify UI Components: Open-source design system with cloud-connected components for building feature-rich apps fast.

Amplify Hosting: Fully managed CI/CD and hosting for fast, secure, and reliable static and server-side rendered apps.

By using AWS Amplify to create a static website for uploads of media files, the company can leverage Amplify Studio to visually build a pixel-perfect UI and connect it to a cloud backend in clicks. By using Amplify Hosting to serve the website through Amazon CloudFront, the company can easily deploy its web app or website to the fast, secure, and reliable AWS content delivery network (CDN), with hundreds of points of presence globally. Byusing Amazon S3 to store the uploaded media files, the company can benefit from a highly scalable, durable, and cost-effective object storage service that can handle any amount of data2. By using Amazon Cognito to authenticate users, the company can add user sign-up, sign-in, and access control to its web app with a fully managed service that scales to support millions of users3.

The other options are not correct because:

Using AWS Application Migration Service to migrate the application server to Amazon EC2 instances would not refactor the application or accelerate development. AWS Application Migration Service (AWS MGN) is a service that enables you to migrate physical servers, virtual machines (VMs), or cloud servers from any source infrastructure to AWS without requiring agents or specialized tools. However, this would not address the challenges of overutilization and data uploads failures. It would also not reduce operational overhead or costs compared to a serverless architecture.

Creating a static website for uploads of media files and using AWS AppSync to create an API would not be as simple or fast as using AWS Amplify. AWS AppSync is a service that enables you to create flexible APIs for securely accessing, manipulating, and combining data from one or more data sources. However, this would require more configuration and management than using Amplify Studio and Amplify Hosting. It would also not provide authentication features like Amazon Cognito.

Setting up AWS IAM Identity Center (AWS Single Sign-On) to give users the ability to sign in to the application would not be as suitable as using Amazon Cognito. AWS Single Sign-On (AWS SSO) is a service that enables you to centrally manage SSO access and user permissions across multiple AWS accounts and business applications. However, this service is designed for enterprise customers who need to manage access for employees or partners across multiple resources. It is not intended for authenticating end users of web or mobile apps.

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3

https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect/

Use a private IP address over Direct Connect (with an interface VPC endpoint)

To access Amazon S3 using a private IP address over Direct Connect, perform the following steps:

3. Create a private virtual interface for your connection.

5. Create an interface VPC endpoint for Amazon S3 in a VPC that is associated with the virtual private gateway. The VGW must connect to a Direct Connect private virtualinterface. This interface VPC endpoint resolves to a private IP address even if you enable a VPC endpoint for S3.

The use of provisioned concurrency ensures the web application’s Lambda functions have pre-initialized execution environments, removing cold start latency and maintaining performance during high-traffic periods.

Route 53 health checks and failover records automate DNS failover to the secondary Region, improving application availability and reliability.

The CloudWatch alarm is configured to monitor the Lambda ConcurrentExecutions metric and send an SNS notification if concurrency usage nears the limit, enabling quick operational response.

This approach minimizes manual management, ensuring reliability and performance during peak traffic while meeting best practices for AWS Lambda and Route 53 failover.

This option allows the solutions architect to use an identity policy that grants the user readand write access to their own personal folder on the S3 bucket1. By adding a condition that specifies that the S3 paths must be prefixed with ${aws:username}, the solutions architect can ensure that each scientist can only access their own folder2. By applying the policy on the scientists’ IAM user group, the solutions architect can simplify the management of permissions for all the scientists3. By configuring a trail with AWS CloudTrail to capture all object-level events in the S3 bucket, the solutions architect can record and store information about every action performed on the S3 objects4. By storing the trail output in another S3 bucket, thesolutions architect can secure and archive the log files5. By using Amazon Athena to query the logs and generate reports, the solutions architect can use a serverless interactive query service that can analyze data in S3 using standard SQL.

Identity-based policies

Policy variables

IAM groups

Object-level logging

Creating a trail that applies to all regions

[What is Amazon Athena?]

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

Option C is correct because hosting the web application in Amazon S3, storing the uploaded videos in Amazon S3, and using S3 event notifications to publish events to the SQS queue reduces the operational overhead of managing EC2 instances and EBS volumes. Amazon S3 can serve static content such as HTML, CSS, JavaScript, and media files directly from S3 buckets. Amazon S3 can also trigger AWS Lambda functions through S3 event notifications when new objects are created or existing objects are updated or deleted. AWS Lambda can process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize thevideos. This solution eliminates the need for custom recognition software and third-party dependencies345

The company should download the data from the Amazon Redshift tables to an Amazon S3 bucket periodically and use AWS Data Exchange for S3 to share data with customers. The company should configure subscription verification and require the data customers to subscribe to the data product. This solution will meet the requirements with the least operational overhead because AWS Data Exchange for S3 is a feature that enables data subscribers to access third-party data files directly from data providers’ Amazon S3 buckets. Subscribers can easily use these files for their data analysis with AWS services without needing to create or manage data copies. Data providers can easily set up AWS Data Exchange for S3 on top of their existing S3 buckets to share direct access to an entire S3 bucket or specific prefixes and S3 objects. AWS Data Exchange automatically manages subscriptions, entitlements, billing, and payment1.

The other options are not correct because:

Using AWS Data Exchange for APIs to share data with customers would not work because AWS Data Exchange for APIs is a feature that enables data subscribers to access third-party APIs directly from data providers’ AWS accounts. Subscribers can easily use these APIs for their data analysis with AWS services without needing to manage API keys or tokens. Data providers can easily set up AWS Data Exchangefor APIs on top of their existing API Gateway resources to share direct access to an entire API or specific routes and stages2. However, this feature is not suitable for sharing data from Amazon Redshift tables, which are not exposed as APIs.

Creating an Amazon API Gateway Data API service integration with Amazon Redshift would not work because the Data API is a feature that enables you to query your Amazon Redshift cluster using HTTP requests, without needing a persistent connection or a SQL client3. It is useful for building applications that interact with Amazon Redshift, but not for sharing data files with customers.

Creating an AWS Data Exchange datashare by connecting AWS Data Exchange to the Redshift cluster would not work because AWS Data Exchange does not support datashares for Amazon Redshift clusters. A datashare is a feature that enables you to share live and secure access to your Amazon Redshift data across your accounts or with third parties without copying or moving the underlying data4. It is useful for sharing query results and views with other users, but not for sharing data files with customers.

Publishing the Amazon Redshift data to an Open Data on AWS Data Exchange would not work because Open Data on AWS Data Exchange is a feature that enables you to find and use free and public datasets from AWS customers and partners. It is useful for accessing open and free data, but not for confirming the identities of the customers or charging them for the data.

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

This option allows the company to use Amazon CloudFront to improve the latency and availability of the API requests by caching the responses at the edge locations closest to the clients1. By enabling caching in the production stage, the company can reduce the number of calls made to the backend services, such as Lambda functions and Aurora Serverless DB cluster, and save on costs and resources2. This option also helps to handle traffic spikes and reduce database memory errors by serving cached responses instead of querying the database repeatedly.

Choosing an API endpoint type

Enabling API caching to enhance responsiveness

Option A is correct because placing the EC2 instances behind an Application Load Balancer (ALB) and associating an SSL certificate from AWS Certificate Manager (ACM) with the ALB enables encryption in transit between the client and the ALB. Exporting the SSL certificate and installing it on each EC2 instance enables encryption in transit between the ALB and the web server. Configuring the ALB to listen on port 443 and to forward traffic to port 443 on the instances ensures that HTTPS is used for both connections. This solution achieves end-to-end encryption in transit for the web application12

The modernized application needs to store and serve video files up to 4 GB. Large binary content should not be stored directly in a database because it negatively affects database performance, scaling, and backup/restore times. The standard AWS pattern is to store large objects in Amazon S3 and keep only references (such as keys or URLs) in the database.

User profile data is simple, text-based, and currently lives in a single table. This is a good fit for a key-value or document-style data model such as Amazon DynamoDB, which provides fully managed horizontal scaling and predictable performance at scale.

Option B migrates the profile table to DynamoDB using AWS DMS with AWS Schema Conversion Tool (SCT). Video files are stored as objects in Amazon S3, which is designed for large, durable, and highly scalable object storage. The DynamoDB item stores only the S3 key that corresponds to each user’s video, keeping the database small and responsive. S3 can scale rapidly and independently of the database, and offloads the heavy I/O load of large objects away from the transactional store, so overall application performance is not negatively impacted by video storage or retrieval.

Option A stores the videos as base64-encoded strings in a TEXT column in a relational database. Storing multi-gigabyte objects directly in a relational database table leads to large row sizes, larger indexes, longer backup times, and degraded performance as the table grows. This does not meet the requirement to avoid affecting application performance.

Option C uses Amazon Keyspaces (for Apache Cassandra) as the profile store and S3 for video. While storing videos in S3 is correct, Keyspaces is typically chosen when there is already a Cassandra-based workload or a need for Cassandra-compatible interfaces. For a simple single-table user profile store being migrated from MySQL, DynamoDB is the more natural, managed choice and aligns better with AWS migration and modernization guidance.

Option D stores the videos as base64-encoded strings in DynamoDB items. DynamoDB has a maximum item size of 400 KB, which is far smaller than the 4 GB video size requirement. This makes option D technically infeasible.

Therefore, migrating user profile data to DynamoDB and storing video files in Amazon S3, with S3 keys stored in the corresponding DynamoDB items (option B), provides scalable video storage and protects application performance.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html

Deploy AWS DataSync Agent:

Install the DataSync agent on your on-premises environment. This can be done by downloading the agent as a virtual appliance and deploying it on VMware ESXi, Hyper-V, or KVM hypervisors.

Configure Source and Destination Locations:

Set up the source location pointing to your on-premises storage where the software images are currently stored.

Configure the destination location to point to your Amazon S3 bucket in the ap-northeast-1 Region.

Create and Schedule DataSync Tasks:

Create a DataSync task to automate the transfer process. This task will specify the source and destination locations and set options for how the data should be transferred.

Schedule the task to run at intervals that suit your data transfer requirements, ensuring new images are transferred as they are created.

Encryption in Transit:

AWS DataSync automatically encrypts data in transit using TLS, ensuring that your data is secure during the transfer process.

Monitoring and Management:

Use the DataSync console or the AWS CLI to monitor the progress of your data transfers and manage the tasks.

AWS DataSync is an efficient solution that automates and accelerates the process of transferring large amounts of data to AWS, handling encryption, data integrity checks, and optimizing network usage without requiring custom development.

References

AWS Storage Blog on DataSync【40】.

AWS DataSync Documentation【41】.

The company wants a centralized enforcement mechanism across hundreds of AWS accounts. The control must ensure that any S3 access points that product teams create are VPC-only and cannot be internet-accessible. The most operationally efficient solution is one that applies across the organization without requiring per-account deployments, per-bucket policies, or per-access-point configuration.

Service control policies (SCPs) in AWS Organizations are designed to provide centralized guardrails that define the maximum available permissions for accounts in an organization. By attaching an SCP at the organization root (or to OUs as needed), the company can enforce that no principal in any account can create an S3 access point unless the request specifies a VPC network origin. This aligns directly with the requirement to enforce “VPC-only” access points consistently across all accounts with minimal ongoing operational work.

Option B uses an SCP at the root to deny s3:CreateAccessPoint unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC. This is the correct organization-wide preventive control.

Option A is not correct because an S3 access point resource policy is attached to an access point after it exists and is primarily used to control access to the access point. It is not a reliable organization-wide preventive mechanism to enforce how access points are created across hundreds of accounts. Also, it requires access point-by-access point management, which increases operational overhead.

Option C is less operationally efficient because StackSets deployment across hundreds of accounts introduces additional operational steps and drift management. It also relies on account-level IAM permissions being properly used and does not provide a simple, centralized “cannot be bypassed” guardrail in the same way that an SCP does.

Option D is incorrect because S3 bucket policies control access to bucket resources and objects. They do not function as an organization-wide control to prevent creation of access points across accounts, and they would require bucket-by-bucket management rather than a centralized enforcement mechanism.

Therefore, a root-level SCP that denies access point creation unless the access point network origin is VPC is the most operationally efficient enforcement approach.

" This operation can be called only from the organization ' s management account. Member accounts can remove themselves with LeaveOrganization instead. " https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html

Comprehensive and Detailed Explanation:

Why C is the best answer

This question requires all of the following:

Bidirectional access between two separate AWS Organizations

Access to S3 buckets across accounts and organizational boundaries

Encryption at rest

Logging of all S3 bucket access

Buckets exist in different Regions

Option C is the best match because S3 Access Points are purpose-built to simplify and scale access management for shared S3 datasets. For cross-account or multi-team sharing scenarios, S3 Access Points let you define dedicated access paths and policies instead of overloading a single bucket policy. For encryption at rest, customer managed AWS KMS keys are the strongest fit when cross-account access must be explicitly controlled. For logging bucket-level object access, AWS CloudTrail is the correct service because S3 data events record object-level API activity such as GetObject and PutObject.

Why the other options are not correct

A. S3 Access Grants is not the best fit here

S3 Access Grants is designed primarily to grant S3 access to identities mapped from identity sources and simplify data access at scale. It is not the standard primary design choice for bidirectional bucket sharing between two separate organizations. The exam-focused architectural pattern for controlled cross-account S3 sharing is S3 Access Points plus policies, combined with KMS permissions and CloudTrail data events. Even though SSE-KMS and CloudTrail data events are good parts of the design, the access mechanism in A is not the best answer.

B. VPC networking services do not solve the main requirement

VPC peering, PrivateLink, and endpoint access controls are network connectivity controls. Amazon S3 is not shared between organizations by building VPC peering between their VPCs. Also, VPC Flow Logs record network flow metadata, not S3 object access. That means B fails the logging requirement and uses the wrong control plane for the access-sharing requirement.

D. Replication and SCPs do not provide bidirectional shared access

S3 Cross-Region Replication copies objects; it does not establish bidirectional shared access for both organizations to each other’s buckets. Service Control Policies also do not work the way this option describes. SCPs are guardrails within an AWS Organization; they are not shared between separate organizations to grant object access. In addition, S3 server access logging is not the best answer when the requirement is to collect logs of all S3 bucket access in an auditable way for object-level API actions. CloudTrail data events are the stronger and more exam-aligned choice for logging object access activity.

Key technical reasoning

Cross-account / cross-organization S3 access:

S3 Access Points are commonly used to provide distinct permissions and simplified policy management for different consumers of the same bucket. This is especially useful in multi-account environments.

Encryption at rest:

When access spans accounts or organizations, customer managed KMS keys are preferred because key policies and grants can explicitly authorize external principals. This gives finer control than SSE-S3 when cross-account governance matters.

Logging:

For S3 object-level operations, CloudTrail data events are the standard answer in AWS architecture questions. They record API activity such as GetObject, PutObject, and DeleteObject. This is more appropriate than VPC Flow Logs or relying only on S3 server access logging.

Regional aspect:

The fact that buckets are in us-east-1 and us-west-1 does not prevent cross-account access. S3 access control, KMS permissions, and CloudTrail can be configured in the relevant Regions.

Cross account role should be created in destination(member) account. The role has trust entity to master account.

Create an S3 Bucket:

Navigate to Amazon S3 in the AWS Management Console and create a new S3 bucket to store the game files.Enable static website hosting on this bucket.

Upload Game Files:

Upload the 5 GB game release package to the S3 bucket. Ensure that the files are publicly accessible if required for download.

Configure Amazon Route 53:

Set up a new domain or subdomain in Amazon Route 53 and point it to the S3 bucket. This allows users to access the game files using a custom URL.

Use Amazon CloudFront:

Create a CloudFront distribution with the S3 bucket as the origin. CloudFront is a content delivery network (CDN) that caches content at edge locations worldwide, improving download performance and reducing latency for users regardless of their location.

Publish the Download URL:

Use the CloudFront distribution URL as the download link for users to access the game files. CloudFront will handle the efficient distribution and caching of the content.

This solution leverages the scalability of Amazon S3 and the performance benefits of CloudFront to provide an optimal download experience for users globally while minimizing costs.

References

Amazon CloudFront Documentation

Amazon S3 Static Website Hosting

Option A is correct because using an Elastic Load Balancer and an Auto Scaling group with a minimum capacity of two instances can improve the availability and scalability of the EC2 instances that host the application. The load balancer can distribute traffic across multiple instances and the Auto Scaling group can replace any unhealthy instances automatically1

Option D is correct because modifying the DB instance to create a Multi-AZ deployment that extends across two Availability Zones can improve the availability and durability of the RDS for MariaDB database. Multi-AZ deployments provide enhanceddata protection and minimize downtime by automatically failing over to astandby replica in another Availability Zone in case of a planned or unplanned outage4

Option F is correct because creating a replication group for the ElastiCache for Redis cluster and enabling Multi-AZ on the cluster can improve the availability and fault tolerance of the in-memory data store. A replication group consists of a primary node and up to five read-only replica nodes that are synchronized with the primary node using asynchronous replication. Multi-AZ allows automatic failover to one of the replicas if the primary node fails or becomes unreachable6

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html

CORS errors occur when a web page hosted on one domain tries to make a request to a server hosted on another domain. In this scenario, the registration form hosted on the static website is trying to make a request to the API Gateway API endpoint hosted on a different domain, which is causing the error. To resolve this error, the Access-Control-Allow-Origin header needs to be set to the domain from which the request is being made. In this case, the header is already set to www.example.com on the CloudFront distribution origin. Therefore, the solutions architect should enable the CORS setting on the API Gateway API endpoint and ensure that the API endpoint is configured to return all responses that have the Access-Control-Allow-Origin header set to www.example.com. This will allow the API endpoint to respond to requests from the static website without a CORS error.

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cors-errors/

Reference architecture -https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-saas.html

Note from documentation that Interface Endpoint is at client side

Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role, to create a trust relationship with the new IAM role in the sales account.

This approach is the most secure way to grant cross-account access to the data in the S3 bucket while minimizing operational overhead. By creating an IAM role in the sales account, the marketing team can assume the role in their own account, and have access to the S3 bucket. And updating the QuickSight role, to create a trust relationship with the new IAM role in the sales account will grant the marketing team to access the data in the S3 bucket and use it for data visualization using QuickSight.

AWS Resource Access Manager (AWS RAM) also allows sharing of resources between accounts, but it would require additional management and configuration to set up the sharing, which would increase operational overhead.

Using S3 replication would also replicate the data to the marketing account, but it would not provide the marketing team access to the original data, and also it would increase operational overhead with managing the replication process.

IAM roles and policies, KMS grants and trust relationships are a powerful combination for managing cross-account access in a secure and efficient manner.

AWS Application Migration Service:

AWS Application Migration Service (MGN) facilitates the migration of virtual machines (VMs) to AWS without installing additional software on the VMs. This agentless service helps in seamlessly migrating workloads to AWS.

AWS Migration Hub Strategy Recommendations:

AWS Migration Hub Strategy Recommendations offer insights and guidance for planning and implementing migration strategies. It helps in generating a Total Cost of Ownership (TCO) report by automatically importing discovery data from the VMs.

Generating the TCO Report:

The combined use of AWS Application Migration Service and Migration Hub Strategy Recommendations enables the automatic import of discovery data and the generation of an accurate TCO report, ensuring a smooth and cost-effective migration process.

References

AWS Migration Hub Strategy Recommendations​(AWS Documentation)​.

The correct answer is D.

D. This solution meets the requirements because it uses a scheduled scaling policy for the EC2 instances, which can adjust the capacity according to the known sale events. It also uses Amazon Aurora PostgreSQL Multi-AZ DB cluster, which provides high availability and durability for the database. It uses Amazon EventBridge rules and AWS Lambda functions to create a larger Aurora Replica before a sale event and fail over to it, which can improve the performance and handle the increased traffic.It also uses anotherEventBridge rule and Lambda function to scale down the Aurora Replica after the sale event, which can save costs123

A. This solution is incorrect because it uses predictive scaling policy for the EC2 instances, which is not suitable for one-time events that are scheduled. Predictive scaling is based on historical data and machine learning, which may not accurately forecast the demand for sale events. It also uses Amazon Aurora PostgreSQL Serverless v2 Multi-AZ DB instance, which does not support read replicas.The use of AWS Step Functions state machine and Lambda functions to pre-warm the database is unnecessary and adds complexity45

B. This solution is incorrect because it uses Amazon RDS for PostgreSQL Multi-AZ DB instance with automatically scaling read replicas, which may not provide enough performance improvement for the sale events. The use of EventBridge rules and Lambda functions to create a larger read replica and fail over to it is risky and may cause downtime ordata loss.The use of another EventBridge rule and Lambda function to scale down the read replica is also risky and may cause inconsistency or data loss67

C. This solution is incorrect because it uses predictive scaling policy for the EC2 instances, which is not suitable for one-time events that are scheduled. Predictive scaling is based on historical data and machine learning, which may not accurately forecast the demand for sale events.The use of AWS Step Functions state machine and Lambda functions to pre-warm the database is unnecessary and adds complexity45

The company requires two different types of security analysis: vulnerability scanning for CVEs and code-level scanning for sensitive data exposure. Amazon Inspector provides both Lambda Standard Scanning and Lambda Code Scanning. These capabilities allow Inspector to examine Lambda deployment packages and Lambda layers for software vulnerabilities, and also perform static code analysis to detect insecure coding patterns. To meet the requirement that only certain Lambda functions receive deeper code scanning, Inspector allows enabling or disabling code scanning at the individual Lambda function level through the function ' s Monitor settings. Inspector additionally supports resource exclusion based on tagging, allowing administrators to prevent specific Lambda functions from participating in code scans. Tag-based exclusion satisfies the requirement to scan only a subset of Lambda functions.

Option B is required because enabling both Lambda standard scanning and Lambda code scanning activates the functionality necessary for CVE detection and code security analysis.

Option D is required because enabling scanning at the function level ensures that code scanning runs only for selected Lambda functions.

Option E is required because resource exclusion using tags allows the administrator to exclude non-target Lambda functions from code scanning automatically.

Options A and C do not satisfy the requirement because simply activating Amazon Inspector does not configure per-function scanning behavior, and GuardDuty Lambda Protection does not scan for CVEs or code vulnerabilities. Option F is not valid because Amazon Inspector does not perform scans directly against objects stored in Amazon S3; scanning occurs against the deployed Lambda function versions themselves.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-upload-large-files/

Enabling S3 Transfer Acceleration on the S3 bucket and configuring the app to use the Transfer Acceleration endpoint for uploads will improve the app ' s performance for these uploads by leveraging Amazon CloudFront ' s globally distributed edge locations to accelerate the uploads. Breaking the video files into chunks and using a multipart upload to transfer files to Amazon S3 will also improve the app ' s performance by allowing parts of the file to be uploaded in parallel, reducing the overall upload time.

Comprehensive and Detailed Explanation:

Option C offers a scalable and low-overhead solution for managing custom controls across multiple AWS accounts:

AWS Control Tower provides a pre-configured environment to set up and govern a secure, multi-account AWS environment based on AWS best practices.

Customizations for AWS Control Tower (CfCT) allows for the deployment of custom configurations and resources, such as AWS Config rules and IAM policies, across accounts and organizational units using AWS CloudFormation templates.

Amazon EventBridge integrates with AWS Control Tower to automate the deployment of customizations during account provisioning events, ensuring that all new accounts adhere to the defined controls without manual intervention.

This approach ensures consistent enforcement of custom controls across all accounts with minimal operational overhead.

This solution will meet the requirements of implementing a highly available architecture for the application servers in AWS. Creating a pool of ENIs will allow the application servers to have consistent MAC addresses, which are needed for the license files. Requesting license files from the vendor for the pool and storing them in Amazon S3 will ensure that the license files are available and secure. Creating a bootstrap automation script to download a license file and attach the corresponding ENI to an EC2 instance will automate the process of launching new application servers with valid licenses. Editing the bootstrap automation script to read the database server IP address from the AWS Systems Manager Parameter Store and inject the value into the local configuration files will enable the application servers to access the database without hard-coding the IP address in the configuration files. This will also allow changing the database server IP address without modifying the configuration files on each application server.

Identify Proxy EC2 Instances:

Determine which EC2 instances in the private subnets are running the proxy server software.

Disable Source/Destination Checks:

For each of these EC2 instances, go to the AWS Management Console.

Navigate to the EC2 dashboard, select the instance, and choose " Actions " > " Networking " > " Change Source/Dest.Check " .

Disable the source/destination check for these instances.

Disabling source/destination checks allows the EC2 instances to route traffic appropriately, enabling them to function as network appliances or proxies. This ensures that traffic from other instances in the private subnets can be routed through the proxy instances to the internet, meeting the company ' s security requirements.

References

Amazon EC2 User Guide on Source/Destination Checks

The best solution for this problem is to update the visibility timeout for the SQS queue to 3 hours. This is because when the visibility timeout is set to 1 hour, it means that if the EC2 instance doesn ' t process the message within an hour, it will be moved to the dead-letter queue. By increasing the visibility timeout to 3 hours, this should give the EC2 instance enough time to process the message before it gets moved to the dead-letter queue. Additionally, configuring scale-in protection for the EC2 instances during processing will help to ensure that the instances are not terminated while the messages are being processed.

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

Option D best addresses all aspects of the problem:

Provisioned Concurrency for Lambda ensures that the Lambda functions have pre-initialized execution environments ready, eliminating cold start delays and ensuring low-latency performance during traffic spikes.

RDS Reserved Instances provide significant cost savings for workloads with consistent and predictable usage, which aligns with the company’s usage patterns.

AWS WAF integrated with CloudFront directly addresses the security concern by providing application layer protection against SQL injection and web exploit attempts.

This solution ensures scalability, performance consistency, cost savings, and security protection without introducing unnecessary complexity.

Resource-based policies are policies that you attach to a resource, such as an IAM role, to specify who can access the resource and what actions they can perform on it1. Identity-based policies are policies that you attach to an IAM user, group, or role to specify what actions they can perform on which resources2. Trust policies are special types of resource-based policies that define which principals (such as IAM users or roles) can assume a role3.

To allow an IAM user in Account A to assume a role in Account B, the solutions architect needs to do the following:

Configure the resource-based policy on the target role in Account B to allow the action sts:AssumeRole for the IAM user in Account A. This policy grants permission to the IAM user to assume the role4.

Configure the identity-based policy on the user in Account A to allow the action sts:AssumeRole for the target role in Account B. This policy grants permission to the user to perform the action of assuming the role5.

Configure the trust policy on the target role in Account B to allow the principal of the IAM user in Account A. This policy defines who can assume the role.

Resource-based policies

Identity-based policies

Trust policies

Granting a user permissions to switch roles

Switching roles

[Modifying a role trust policy]

You can segment your network by creating multiple route tables in an AWS Transit Gateway and associate Amazon VPCs and VPNs to them. This will allow you to create isolated networks inside an AWS Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The AWS Transit Gateway will have a default route table. The use of multiple route tables is optional.

Using an Amazon Kinesis data stream as a target for the IoT Core rule ensures durable and scalable buffering of data during traffic spikes.

An ECS Fargate application reads data from Kinesis, processes it, and stores it in Aurora, meeting the requirement for flexible, serverless data handling.

This solution guarantees no data loss while providing real-time or near-real-time data processing capabilities.

Option A is incorrect because creating a Direct Connect gateway in the central account and creating an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway does not enable active-passive failover between the regions. A Direct Connect gateway is a globally available resource that enables you to connect your AWS Direct Connect connection over a private virtual interface (VIF) to one or more VPCs in any AWS Region. A virtual private gateway is the VPN concentrator on the Amazon side of a VPN connection. You can associate a Direct Connect gateway with either a transit gateway or a virtual private gateway. However, a Direct Connect gateway does not provide any load balancing or failover capabilities by itself1

Option B is correct because creating a Direct Connect gateway and a transit gateway in the central network account and attaching the transit gateway to the Direct Connect gateway by using a transit VIF meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. A transit VIF is a type of private VIF that you can use to connect your AWS Direct Connect connection to a transit gateway or a Direct Connect gateway. A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. By using a transit VIF, you can route traffic between your on-premises network and multiple VPCs across different AWS accounts and Regions through a single connection23

Option C is incorrect because provisioning an internet gateway, attaching the internet gateway to subnets, and allowing internet traffic through the gateway does not meet the requirement of routing cloud resources to the internet through its on-premises data center. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. By using an internet gateway, you are routing cloud resources directly to the internet, not through your on-premises data center.

Option D is correct because sharing the transit gateway with other accounts and attaching VPCs to the transit gateway meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. You can share your transit gateway with other AWS accounts within the same organization by using AWS Resource Access Manager (AWS RAM). This allows you to centrally manage connectivity from multiple accounts without having to create individual peering connections between VPCs or duplicate network appliances in each account. You can attach VPCs from different accounts and Regions to your shared transit gateway and enable routing between them.

Option E is incorrect because provisioning VPC peering as necessary does not meet the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within asingle Region. However, VPC peering does not allow you to route traffic from your on-premises network to your VPCs or between multiple Regions. You would need to create multiple VPN connections or Direct Connect connections for each VPC peering connection, which increases operational complexity and costs.

Option F is correct because provisioning only private subnets, opening the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center meets the requirement of routing cloud resources to the internet through its on-premises data center. A private subnet is a subnet that’s associated with a route table that has no route to an internet gateway. Instances in a private subnet can communicate with other instances in the same VPC but cannot access resources on the internet directly. To enable outbound internet access from instances in private subnets, you can use NAT devices such as NAT gateways or NAT instances that are deployed in public subnets. A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway. Alternatively, you can use your on-premises data center as a NAT device by configuring routes on your transit gateway and customer gateway that direct outbound internet traffic from your private subnets through your VPN connection or Direct Connect connection. This way, you can route cloud resources to the internet through your on-premises data center instead of using an internet gateway.

Using AWS Transfer Family with Amazon S3 storage eliminates the need to manage file servers and offers a scalable and durable file storage solution.

S3 event notifications automatically trigger the AWS Glue transformation jobs upon file arrival, eliminating manual job scheduling.

AWS Glue jobs can be configured to send a notification to an Amazon SQS queue after completion, maintaining the messaging workflow with minimal operational overhead.

This fully managed approach simplifies the architecture and leverages AWS-native automation.

The correct answer is B.

B. This solution is the most cost-effective because it uses an EC2 Instance Savings Plan for the online gaming application instances, which provides the lowest prices and savings up to 72% compared to On-Demand prices. The EC2 Instance Savings Plan applies to any instance size within the same family and region, regardless of availability zone, operating system, or tenancy. The online gaming application instances run all year and must always be available, so they are not suitable for Spot Instances, which can be interrupted with a two-minute notice. This solution also uses Spot Instances for the analytics application, which can reduce the cost by up to 90% compared to On-Demand prices. The analytics application can be interrupted and resumed without issue, so it is a good fit for Spot Instances, which use spare EC2 capacity.This solution does not require AWSService Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts123

A. This solution is incorrect because it uses On-Demand Instances for the analytics application, which are more expensive than Spot Instances. The analytics application can be interrupted and resumed without issue, so it can benefit from the lower cost of Spot Instances, which use spare EC2 capacity.

C. This solution is incorrect because it uses Spot Instances for the online gaming application, which can be interrupted with a two-minute notice. The online gaming application instances must always be available, so they are not suitable for Spot Instances, which use spare EC2 capacity. This solution also uses AWS Service Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts.

D. This solution is incorrect because it uses On-Demand Instances for the online gaming application, which are more expensive than an EC2 Instance Savings Plan. The online gaming application instances run all year and must always be available, so they are suitable for an EC2 Instance Savings Plan, which provides the lowest prices and savings up to 72% compared to On-Demand prices. This solution also uses AWS Service Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts.

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

For migration planning, AWS provides specific tooling to discover on-premises servers, collect detailed performance and configuration data, and analyze application dependencies. The primary service for this purpose is AWS Application Discovery Service, which integrates with AWS Migration Hub.

The AWS Application Discovery Agent is installed on on-premises physical servers and VMs. It collects detailed information such as CPU, memory, and disk utilization; processes and services running on the system; system configuration details; and network connections between systems. This allows the company to understand how servers communicate, what applications are running, and what dependencies exist between components.

This data is sent to AWS Application Discovery Service and surfaced through AWS Migration Hub, where the company can view discovered servers, group them logically into applications, and analyze migration readiness. Migration Hub can use this collected data to provide recommendations for EC2 instance sizing that are based on actual on-premises utilization metrics, helping choose appropriate EC2 instance types and sizes.

Option C directly describes installing the AWS Application Discovery Agent, using AWS Migration Hub to discover and group servers into applications, and using Migration Hub to generate EC2 instance recommendations. This aligns with AWS’s migration assessment tooling and meets all the stated goals: performance measurement, system configuration listing, network connection understanding, dependency analysis, and instance sizing recommendations.

Option A uses AWS Systems Manager Agent and Application Manager. While Systems Manager can manage servers and collect some information, it is not the primary tool for detailed migration discovery, networking dependency mapping, and migration-focused analysis. It also suggests using AWS Pricing Calculator for instance recommendations, which requires manual input and does not automatically derive recommendations from observed utilization and dependencies.

Option B suggests using the Amazon Inspector agent to gather performance and usage information. Amazon Inspector is designed for vulnerability and security assessments, not for detailed migration discovery or dependency mapping. Additionally, AWS Compute Optimizer currently bases its recommendations on usage metrics from AWS resources, not on-premises servers.

Option D uses the CloudWatch agent to collect metrics and then Migration Hub and Compute Optimizer. The CloudWatch agent is not the standard agent for migration discovery and dependency analysis of on-premises workloads. Also, Compute Optimizer focuses on optimization of existing AWS resources rather than creating recommendations based on on-premises utilization.

Therefore, installing the AWS Application Discovery Agent and using AWS Migration Hub (option C) is the correct solution to satisfy all the requirements for migration assessment and EC2 sizing recommendations.

Create a Transit Gateway:

In the shared services account, create a new AWS Transit Gateway. This serves as a central hub to connect multiple VPCs, simplifying the network topology and management.

Configure Transit Gateway Attachments:

Attach the VPC containing the Aurora DB cluster to the transit gateway. This allows the shared services VPC to communicate through the transit gateway.

Create Resource Share with AWS RAM:

Use AWS Resource Access Manager (AWS RAM) to create a resource share for the transit gateway. Share this resource with all development accounts. AWS RAM allows you to securely share your AWS resources across AWS accounts without needing to duplicate them.

Accept Resource Shares in Development Accounts:

Instruct each development team to log into their respective AWS accounts and accept the transit gateway resource share. This step is crucial for enabling cross-account access to the shared transit gateway.

Configure VPC Attachments in Development Accounts:

Each development account needs to attach their VPC to the shared transit gateway. This allows their VPCs to route traffic through the transit gateway to the Aurora DB cluster in the shared services account.

Update Route Tables:

Update the route tables in each VPC to direct traffic intended for the Aurora DB cluster through the transit gateway. This ensures that network traffic is properly routed between the development VPCs and the shared services VPC.

Using a transit gateway simplifies the network management and reduces operational overhead by providing a scalable and efficient way to interconnect multiple VPCs across different AWS accounts.

References

AWS Database Blog on RDS Proxy for Cross-Account Access【48】.

AWS Architecture Blog on Cross-Account and Cross-Region Aurora Setup【49】.

DEV Community on Managing Multiple AWS Accounts with Organizations【51】.

The best option is to use Amazon SQS and AWS Lambda to create a serverless order processing application. Amazon SQS is a fully managed message queue service that can decouple the order receiving and processing components, making the application more scalable and fault-tolerant. AWS Lambda is a serverless compute service that can automatically scale to handle the incoming messages from the SQS queue and process them according to the business logic. AWS Lambda can also integrate with Amazon DynamoDB to store the processed orders in a fast and flexible NoSQL database. This approach eliminates the need to provision, manage, or scale any servers or containers, and reduces the operational overhead and cost.

Option A is not reliable because using an EC2-hosted database to receive the orders introduces a single point of failure and a scalability bottleneck. EC2 instances also require more management and configuration than serverless services.

Option C is not reliable because using AWS Step Functions to receive the orders adds unnecessary complexity and cost to the application. AWS Step Functions is a service that coordinates multiple AWS services into a serverless workflow, but it is not designed to handle high-volume, sporadic, or unpredictable traffic patterns. AWS Step Functions also charges per state transition, which can be expensive for a large number of orders. Launching an ECS container to process each order also requires more resources and management than invoking a Lambda function.

Option D is not reliable because using Amazon Kinesis Data Streams to receive the orders is not suitable for this use case. Amazon Kinesis Data Streams is a service that enables real-time processing of streaming data at scale, but it is not meant for asynchronous message queuing. Amazon Kinesis Data Streams requires consumers to poll the data from the stream, which can introduce latency and complexity. Amazon Kinesis Data Streams also charges per shard hour, which can be expensive for a sporadic traffic pattern.

Amazon SQS

AWS Lambda

Amazon DynamoDB

AWS Step Functions

Amazon ECS

Creating a quota request template in the us-east-1 Region of the management account ensures it applies to all newly provisioned accounts in the organization.

By specifying the required ml.p2.xlarge training job and endpoint usage quotas in ap-southeast-2, the accounts will automatically receive these higher quotas upon creation, supporting the student lab environments without additional manual quota requests.

This process integrates seamlessly with AWS Organizations for automated and standardized account provisioning.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

Provision an Aurora Replica in a different Region will meet the requirement of the application being able to recover to a separate AWS Region in the event of an application failure, and no data can be lost, with the least amount of operational overhead.

in this solution, two transit VIFs are created - one from the DX-A connection and one from the DX-B connection - into the same Direct Connect gateway for high availability. Both the eu-west-1 and us-east-1 transit gateways are then associated with this Direct Connect gateway. The transit gateways are then peered with each other to support cross-Region routing. This solution meets the requirements of the company by creating a highly available connection between the on-premises data center and the VPCs in both the eu-west-1 and us-east-1 regions, and by enabling direct traffic routing between VPCs in those regions.

it will use the ALB to handle the unpredictable bursts of traffic and route it to the SQS queue. The SQS queue will act as a buffer to store incoming data temporarily and the container running in Amazon ECS with the Fargate launch type will process messages in the queue. This approach will ensure that all data is processed and prevent data loss.

https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/

Storing the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key will enable encrypting and managing the credentials securely1. AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services2. Attaching a role to each Lambda function to provide access to the secret will enable retrieving the credentials programmatically1. Restricting access to the secret and the customer managed key so that only members of the IT security team’s IAM user group can access them will enable meeting the security requirements1.

The best solution is to store the database credentials for both environments in AWS Secrets Manager with distinct key entry for the QA environment and the production environment. AWS Secrets Manager is a web service that can securely store, manage, and retrieve secrets, such as database credentials. AWS Secrets Manager also supports automatic rotation of secrets by using Lambda functions or built-in rotation templates. By storing the database credentials for both environments in AWS Secrets Manager, the company can avoid exposing credentials within application code and rotate passwords automatically. By providing a reference to the Secrets Manager key as an environment variable for the Lambda functions, the company can easily access the credentials from the code by using the AWS SDK. This solution meets all the requirements of the company.

Taking a snapshot of the EBS volume using Amazon Data Lifecycle Manager (DLM) will meet the requirements because it allows you to create a backup of the volumewithout the need to access the instance or its SSH key pair. Additionally, DLM allows you to schedule the backups to occur at specific intervals and also enables you to copy the snapshots to an S3 bucket. This approach will not impact the running application as the backup is performed on the EBS volume level.

Comprehensive and Detailed Explanation:

A. Using AWS CloudFormation templates allows for the automation of infrastructure deployment. By parameterizing the templates, resources can be provisioned consistently across multiple Regions, reducing administrative overhead and ensuring infrastructure as code practices.

D. Amazon Route 53 latency-based routing directs user requests to the AWS Region that provides the lowest latency, improving access times for users globally and enhancing the user experience.

E. Enabling DynamoDB Streams and adding a second Region to create a global table ensures that data is replicated across Regions, providing high availability and disaster recovery capabilities.

This combination of steps ensures that the application stack is replicated efficiently across Regions, providing disaster recovery, improved performance, and scalability, all while minimizing manual administrative tasks.

minimizes operational + microservices that run on containers = AWS Elastic Beanstalk

Amazon AppStream 2.0 offers a streamlined solution for rehosting a Windows-based desktop application on AWS with minimal development effort. By creating an AppStream 2.0image that includes the application and using an On-Demand fleet for streaming, the application becomes accessible from any device, including Linux machines. AppStream 2.0 user pools can be used for authentication, simplifying access management without the need for extensive changes to the application or infrastructure.

AWS Documentation on Amazon AppStream 2.0 provides insights into setting up application streaming solutions. This approach is recommended for delivering desktop applications to diverse operating systems without the complexity of managing virtual desktops or extensive application refactoring.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-cost-categories.html

https://aws.amazon.com/premiumsupport/knowledge-center/cost-explorer-analyze-spending-and-usage/

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-cost-categories.htmlhttps://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html

The best combination of actions to meet the company’s requirements is Options A, C, and F.

Option A involves activating the user-defined cost allocation tags that represent the application and the team. This will allow the company to assign costs to different applications or teams, and will allow them to be tracked in the monthly AWS bill.

Option C involves creating a cost category for each application in Billing and Cost Management. This will allow the company to easily identify and compare costs across different applications and teams.

Option F involves enabling Cost Explorer. This will allow the company to view the costs of their AWS resources over the last 12 months and to create forecasts for the next 12 months.

These recommendations are in line with the official Amazon Textbook and Resources for the AWS Certified Solutions Architect - Professional certification. In particular, the book states that “You can use cost allocation tags to group your costs by application, team, or other categories” (Source:https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS_Certified_Solutions_Architect_Professional_Exam_Guide_EN_v1.5.pdf).Additionally, the book states that “Cost Explorer enables you to view the costs of your AWS resources over the last 12 months and to create forecasts for the next 12 months” (Source:https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS_Certified_Solutions_Architect_Professional_Exam_Guide_EN_v1.5.pdf).

In this solution, the company can use Amazon SES to send email messages, which will minimize operational overhead as SES is a fully managed service that handles sending and receiving email messages. The company can store the email template on Amazon SES with parameters for the customer data and use an AWS Lambda function to call the SendTemplatedEmail API operation, passing in the customer data to replace the parameters and the email destination. This solution eliminates the need to set up and manage an SMTP server on EC2 instances, which can be costly and time-consuming.

https://docs.aws.amazon.com/application-discovery/latest/userguide/discovery-agent.htmlhttps://docs.aws.amazon.com/migrationhub/latest/ug/ec2-recommendations.html

Creating a headless Aurora DB cluster in the secondary Region as part of an Aurora global database ensures continuous, low-latency replication without running active instances in the secondary Region.

This configuration meets the RTO and RPO requirements by allowing rapid promotion of the secondary cluster in a failover scenario.

It also reduces operational costs compared to continuously running standby instances in the secondary Region.

This aligns with AWS best practices for DR and cross-Region resiliency.

A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions. The following describe scenarios where you can use a Direct Connect gateway.https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

In this scenario, the Amazon EC2 instances are in an Auto Scaling group already which means that the database read operations is the possible bottleneck especially during the month-end wherein the reports are generated. This can be solved by creating RDS read replicas.

B: Outbound Resolver endpoints enable EC2 instances tosendDNS queries to external resolvers (i.e., on-prem DNS servers).

C: A forwarding rule must be created to forward the internal.company.com domain to the on-prem resolver.

E: You must associate the rule withevery VPCthat needs to forward the queries.

Incorrect:

A: Inbound endpoints are forreceivingDNS queries from on-prem to AWS, not vice versa.

D: There’s no such thing as a " System " rule type.

F: Limiting to one VPC won ' t meet the requirement.

Transfer acceleration. S3 Transfer Acceleration utilizes the Amazon CloudFront global network of edge locations to accelerate the transfer of data to and from S3 buckets. By enabling S3 Transfer Acceleration on the centralized S3 bucket, the users in Europe will experience faster uploads as their data will be routed through the closest CloudFront edge location.

GitHub Webhooks to Trigger CodePipeline:

Configure GitHub webhooks to trigger the AWS CodePipeline pipeline. This ensures that every code push to the repository automatically triggers the pipeline, initiating the build and deployment process.

Unit Testing with Jenkins and AWS CodeBuild:

Use Jenkins integrated with the AWS CodeBuild plugin to perform unit testing. Jenkins will manage the build process, and the results will be handled by CodeBuild.

Notifications for Bad Builds:

Configure Amazon SNS (Simple Notification Service) to send alerts for any failed builds. This keeps the engineering team informed of build issues immediately, allowing for quick resolutions.

Blue/Green Deployment with AWS CodeDeploy:

Utilize AWS CodeDeploy with a blue/green deployment strategy. This method reduces downtime and risk by running two identical production environments (blue and green). CodeDeploy shifts traffic between these environments, allowing you to test in the new environment (green) while the old environment (blue) remains live. If issues arise, you can quickly roll back to the previous environment.

This solution provides seamless, zero-downtime deployments, and the ability to quickly roll back changes if necessary, fulfilling the requirements of the startup company.

References

AWS DevOps Blog on Integrating Jenkins with AWS CodeBuild and CodeDeploy【32】.

Plain English Guide to AWS CodePipeline with GitHub【33】.

Jenkins Plugin for AWS CodePipeline【34】.

https://repost.aws/knowledge-center/vpc-ip-address-range

This is doable with IAM policy creation to restrict users to specific instance types. Found the below article.https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy

Using AWS Backup to create a scheduled daily backup plan for the EC2 instances will enable taking snapshots of the EC2 instances and their attached EBS volumes1. Configuring the backup task to copy the backups to a vault in the secondary Region will enable maintaining backups in a separate Region1. In the event of a failure, launching the CloudFormation template will enable deploying the network configuration in the secondary Region2. Restoring the instance volumes and configurations from the backup vault will enable recovering the EC2 instances and their data1. Transferring usage to the secondary Region will enable resuming operations2.

Connect the IoT sensors to AWS IoT Core. Set a rule to invoke an AWS Lambda function to parse the information and save a .csv file to Amazon S3. Use AWS Glue to catalog the files. Use Amazon Athena and Amazon QuickSight for analysis. This solution meets the requirement of faster analysis and cost optimization by using AWS IoT Core to collect data from the IoT sensors in real-time and then using AWS Glue and Amazon Athena for efficient data analysis.

This solution involves connecting the loT sensors to the AWS loT Core, setting a rule to invoke an AWS Lambda function to parse the information, and saving a .csv file to Amazon S3. AWS Glue can be used to catalog the files and Amazon Athena and Amazon QuickSight can be used for analysis. This solution will enable faster and more cost-effective data analysis.

This solution is in line with the official Amazon Textbook and Resources for the AWS Certified Solutions Architect - Professional certification. In particular, the book states that: “AWS IoT Core can be used to ingest and process the data, AWS Lambda can be used to process and transform the data, and Amazon S3 can be used to store the data. AWS Glue can be used to catalog and access the data, Amazon Athena can be used to query the data, and Amazon QuickSight can be used to visualize the data.” (Source:https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS_Certified_Solutions_Architect_Professional_Exam_Guide_EN_v1.5.pdf)

AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. By creating a management account and inviting all the existing accounts to join the organization, the solutions architect can track and consolidate expenditures for all the accounts using AWS Cost Management tools such as AWS Cost Explorer and AWS Budgets. An organizational unit (OU) is a group of accounts within an organization that can be used to apply policies and simplify management. A service control policy (SCP) is a type of policy that you can use to manage permissions in your organization. By creating an OU that includes all the development teams and applying an SCP that allows the creation of resources only in Regions that are in the United States, the solutions architect can ensure that the company meets its compliance requirements and avoids unwanted charges from other Regions. An IAM role is an identity with permission policies that determine what the identity can and cannot do in AWS. By creating an IAM role in the management account and allowing the finance team users to assume it, the solutions architect can give them access to view the Billing and Cost Management console without sharing credentials or creating additional users. References:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/aws-cost-management/latest/userguide/what-is-costmanagement.html

This option allows the solutions architect to use session tags to pass additional information about the federated user, such as the development unit name, to AWS1. Session tags are key-value pairs that you can define in your identity provider (IdP) and pass in your SAML assertion1. By using a deny action and a StringNotEquals condition in the IAM policy, you can prevent developers from accessing or modifying EC2 instances that belong to a different development unit2. This way, you can enforce fine-grained access control and prevent accidental or malicious incidents.

Passing session tags in SAML assertions

Using tags for attribute-based access control

Using AWS IoT Core to receive the vehicle data will enable connecting the smart vehicles to the cloud using the MQTT protocol1. AWS IoT Core is a platform that enables you to connect devices to AWS Services and other devices, secure data and interactions, process and act upon device data, and enable applications to interact with devices even when they are offline2. Configuring rules to route data to an Amazon Kinesis Data Firehose delivery stream that stores the data in Amazon S3 will enable processing and storing the vehicle data in a scalable and reliable way3. Amazon Kinesis Data Firehose is a fully managed service that delivers real-time streaming data to destinations such as Amazon S3. Creating an Amazon Kinesis Data Analytics application that reads from the delivery stream to detect anomalies will enable analyzing the vehicle data using SQL queries or Apache Flink applications. Amazon Kinesis Data Analytics is a fully managed service that enables you to process and analyze streaming data using SQL or Java.

This option uses the S3 Storage Lens default dashboard to track bucket and encryption metrics across two AWS Regions. S3 Storage Lens is a feature that provides organization-wide visibility into object storage usage and activity trends, and delivers actionable recommendations to improve cost-efficiency and apply data protection best practices. S3 Storage Lens delivers more than 30 storage metrics, including metrics on encryption, replication, and data protection. The default dashboard provides a summary of the entire S3 usage and activity across all Regions and accounts in an organization. The company can give the compliance teams access to the dashboard directly in the S3 console, which requires the least operational overhead.

Lambda has a maximum timeout of 900 seconds, or 15 minutes. Since the function is already configured with the maximum timeout and still fails, the workload should move to a containerized compute model that can run longer. The least operational overhead option is Amazon ECS with AWS Fargate. The application code should be packaged as a Docker container image and stored in Amazon ECR, which ECS task definitions can reference. EventBridge can invoke ECS tasks directly and supports ECS parameters, including the Fargate launch type. This avoids keeping Lambda in the execution path and removes the need to manage EC2 container instances. Storing container images in S3 is not the standard ECS deployment model, and Step Functions does not directly “use” a Docker image as described. (AWS Documentation)

===============

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/

" An error occurred (AccessDenied) when calling the PutObject operation: Access Denied " This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-cross-account-role " When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role named OrganizationAccountAccessRole in the account " you need OrganizationAccountAccessRole in member account to create an read-only role and use role from security team to assume this read-only role.

C is correct because:

AWS WAF integrates natively with API Gateway and protects against common web exploits (e.g., SQL injection, XSS).

Amazon Inspector can scan the legacy EC2 instance for known vulnerabilities.

Amazon GuardDuty is a continuous security monitoring service that detects threats butdoes not blocktraffic (B and D are incorrect because GuardDuty doesn’t block).

The company wants three things: minimize client-to-broker latency within the same Availability Zone, increase available bandwidth, and increase the scaling speed of the MSK cluster. The current brokers are Standard brokers (two per AZ). Clients use default settings, which means they are not explicitly configured for rack awareness or AZ affinity.

A common way to reduce latency in multi-AZ Kafka deployments is to enable rack awareness on clients and brokers so clients prefer brokers in the same “rack,” which can map to an Availability Zone. In Kafka, the client.rack setting allows the client to include rack information so the broker can return metadata that helps the client select replicas that are closest, reducing cross-AZ traffic and improving latency.

To increase bandwidth and improve scaling speed, the most direct approach in the choices is to move from Standard brokers to Express brokers. Express brokers are designed to provide higher throughput and faster scaling characteristics compared to standard broker types. Since the question explicitly calls out increasing available bandwidth and scaling speed, the broker type change is the key lever, and it can be combined with client.rack configuration to minimize cross-AZ latency.

Option C matches these requirements: it replaces Standard brokers with Express brokers (to improve throughput/bandwidth and scaling speed) and sets client.rack to the Availability Zone identifier (az_id) to improve locality and reduce latency between clients and brokers in the same AZ.

Option A is not appropriate because MSK does not use EC2 Auto Scaling predictive scaling in that manner, and Kafka clients/brokers are not “associated” with an EC2 placement group as a primary latency solution in MSK. Placement groups are for EC2 instance placement; MSK broker placement is managed by the service.

Option B introduces a proxy layer and MSK Connect in a way that increases complexity and does not directly guarantee lower latency or higher bandwidth. MSK Connect is for Kafka Connect workloads, not as a general-purpose low-latency routing proxy for Kafka clients. Cruise Control is used for partition rebalancing and cluster optimization, but it does not replace the benefits of higher-throughput broker types and client rack awareness for AZ locality.

Option D increases broker size and introduces PrivateLink endpoints. PrivateLink is about private connectivity from VPCs to services and does not inherently ensure AZ-local broker selection or reduce latency between clients and brokers in the same AZ. Also, resizing to xlarge increases capacity but does not address scaling speed and locality as directly as express brokers plus rack configuration.

Therefore, option C best meets all requirements.

https://repost.aws/knowledge-center/kinesis-readprovisionedthroughputexceeded

Follow Data Streams best practices

To mitigate ReadProvisionedThroughputExceeded exceptions, apply these best practices:

• Reshard your stream to increase the number of shards in the stream.

• Use consumers with enhanced fan-out. For more information about enhanced fan-out, see Developing custom consumers with dedicated throughput (enhanced fan-out).

• Use an error retry and exponential backoff mechanism in the consumer logic if ReadProvisionedThroughputExceeded exceptions are encountered. For consumer applications that use an AWS SDK, the requests are retried by default.

A: Use dynamic IAM policies with {aws:PrincipalTag/userName} to enforceprefix-level access control— i.e., bucket/userA/*, bucket/userB/*.

C: Enable CloudTraildata eventsto capture object-level access andquery them withAthena. This is the AWS-recommended way to audit per-user object access.

Incorrect:

B doesn ' t provide user isolation.

D only capturesmanagement events, not object-level data access.

E is legacy, inefficient, and not structured for per-user auditing.

B:https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.requests

D:https://aws.amazon.com/blogs/compute/robust-serverless-application-design-with-aws-lambda-dlq/c

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-overview-developer-experience.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-instance-type-requirements.html#use-attribute-based-instance-type-selection-prerequisites

AWS Systems Manager State Manager is the correct service because it maintains a desired configuration state across managed nodes. An association can define that specific software, such as antivirus or monitoring agents, must be installed and running with the required configuration. This directly satisfies the requirement to ensure all 10,000 EC2 instances consistently run the latest SaaS agent configuration with the least administrative overhead. A custom Lambda that logs in to every machine is fragile, hard to secure, and operationally expensive. AWS Config is useful for evaluating resource configuration, but it is not the most direct tool for recurring software installation and configuration enforcement inside EC2 instances. Session Manager and user data are also poor choices because user data normally runs at launch and does not continuously enforce state. (AWS Documentation)

===============

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

To effectively gather information about network dependencies between VMs in an on-premises data center for migration to AWS, it ' s crucial to use tools that can capture detailed application and server dependencies. The AWS Application Discovery Service is designed for this purpose, particularly when migrating from environments like Linux-based VMware VMs. By installing the AWS Application Discovery Agent on the on-premises servers, the service can collect necessary data such as host IP addresses, hostnames, and network connection information. This data is crucial for creating a comprehensive network diagram that outlines the interactions and dependencies between various components of the on-premises infrastructure. The integration with AWS Migration Hub enhances this process by allowing the visualization of these dependencies in a network diagram format, aiding in the planning and execution of the migration process. This approach ensures a thorough understanding of the on-premises environment, which is essential for a successful migration to AWS.

SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role.https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/

This approach allows the procurement managers to assume the procurement-manager-role in shared services accounts, which have the AWSPrivateMarketplaceAdminFullAccess managed policy attached to it and can then manage the Private Marketplace. The organization root-level SCP denies the permission to administer Private Marketplace to everyone except the role named procurement-manager-role and another SCP denies the permission to create an IAM role named procurement-manager-role to everyone in the organization, ensuring that only the procurement team can assume the role and manage the Private Marketplace. This approach provides a centralized way to manage and restrict access to Private Marketplace while maintaining a high level of security.

The requirements emphasize minimum downtime, rapid migration, managed database services, high availability, and support for stored procedures. For Oracle-to-AWS migrations with minimal downtime, AWS DMS can replicate ongoing changes from the source database to the target, which reduces cutover downtime. However, a critical constraint is that the database contains stored procedures. If the company moves to a different engine, it must convert schema objects and procedural code.

Option D is the only option that combines an online replication approach (AWS DMS) with a managed, highly available target database (Amazon Aurora PostgreSQL) and explicitly includes schema and stored procedure conversion with AWS SCT. This aligns with a fast migration approach: SCT prepares the converted schema and stored procedures, while DMS performs ongoing replication of data changes until cutover, minimizing downtime. Aurora PostgreSQL is a managed service and supports high availability through multi-AZ architecture and managed failover capabilities within a Region.

Option A is incorrect because Amazon RDS does not use an S3 bucket “as database storage” in the way described. RDS storage is managed by the RDS service, and S3 replication is not the mechanism used to provide database high availability. High availability for RDS is typically achieved through Multi-AZ configurations and/or cluster-based architectures depending on engine. The described storage approach is not a valid managed RDS architecture.

Option B does not meet the managed database requirement because it restores Oracle onto EC2 instances, which is self-managed. It also does not meet minimum downtime because it requires shutting down the on-premises database to avoid new transactions before restoring the backup. This is a longer outage model than an online migration with continuous replication.

Option C is not feasible and would require major redesign. DynamoDB is not a relational database replacement for Oracle stored procedures. DAX is a DynamoDB cache and cannot run stored procedures. The option also incorrectly suggests running stored procedures “in DAX.” This does not meet the “migrate as quickly as possible with minimum downtime” requirement due to extensive refactoring and redesign.

Therefore, migrating to Aurora PostgreSQL using AWS SCT for schema and stored procedure conversion, and AWS DMS for ongoing replication to minimize downtime, is the best fit.

This solution allows for deploying the Lambda function and API Gateway endpoint to another region, providing a failover option in case of any issues in the primary region. Using Route 53 ' s failover routing policy allows for automatic routing of traffic to the healthy endpoint, ensuring that the application is available even in case of issues in one region. This solution provides a cost-effective and simple way to implement failover while minimizing operational overhead.

https://aws.amazon.com/dms/schema-conversion-tool/

AWS Schema Conversion Tool (SCT) can automatically convert the database schema from Microsoft SQL Server to Amazon RDS for MySQL. This allows for a smooth transition of the database schema without any manual intervention. AWS DMS can then be used to migrate the data from the on-premises databases to the newly created Amazon RDS for MySQL instance. This service can perform a one-time migration of the data or can set up ongoing replication of data changes to keep the on-premises and AWS databases in sync.

AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users1. It provides static IP addresses that act as a fixed entry point to your applications and route user traffic to the optimal endpoint based on performance, health, and policies that you configure1. By creating a standard accelerator endpoint for the NLB in each additional Region, you can ensure that customers are automatically directed to the Region that is geographically closest to them2. You can also provide customers with the Global Accelerator IP address, which is anycast from AWS edge locations and does not change when you add or remove endpoints3.

What is AWS Global Accelerator?

Standard accelerator endpoints

AWS Global Accelerator IP addresses

This solution utilizes Amazon S3 and CloudFront to deploy the UI as a static website, which can be done with minimal development effort. The business logic and API tier can be containerized in a Docker image and stored in Amazon Elastic Container Registry (ECR) and run on Amazon Elastic Container Service (ECS) with the Fargate launch type, which allows the application to be highly available with minimal operational overhead. The data layer can be deployed on an Amazon Aurora MySQL DB cluster which is a fully managed relational database service.

Amazon Aurora provides high availability and performance for the data layer without the need for managing the underlying infrastructure.

Option D provisions a new Amazon Connect instance with all existing users and contact flows in a second Region. It also sets up an Amazon Route 53 health check for the URL of the Amazon Connect instance, an Amazon CloudWatch alarm for failed health checks, and an AWS Lambda function to deploy an AWS CloudFormation template that provisions claimed phone numbers. This option allows for the fastest recovery time because all the necessary components are already provisioned and ready to go in the second Region. In the event of a disaster, the failed health check will trigger the AWS Lambda function to deploy the CloudFormation template to provision the claimed phone numbers, which is the only missing component.

This solution allows developers to quickly launch resources using pre-approved configurations and instance types, while also ensuring that the resources launched comply with the company ' s architectural patterns. This can help reduce data transfer and compute costs associated with the resources. Using AWS Service Catalog also allows the company to control access to the approved configurations and resources through the use of IAM roles, while also allowing developers to quickly provision resources without negatively affecting their ability to perform their tasks.

The correct solution is to use an Amazon S3 File Gateway to store the copy of the SMB file share on AWS. An S3 File Gateway enables on-premises applications to store and access objects in Amazon S3 using the SMB protocol. The S3 File Gateway can also be accessed from AWS using the SMB protocol, which provides the ability to use the data from either the data center or AWS if a disaster occurs. The S3 File Gateway supports tiering of data to different S3 storage classes based on the file type. This allows the company to optimizethe storage costs by using S3 Standard-Infrequent Access (S3 Standard-IA) for the metadata files, which are rarely accessed but must be available within 5 minutes, and S3 Glacier Deep Archive for the image files, which are the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. This solution is the most cost-effective because it does not require any additional hardware, software, or replication services.

The other solutions are incorrect because they either use more expensive or unnecessary services or components, or they do not meet the requirements. For example:

Solution A is incorrect because it uses AWS Outposts with Amazon S3 storage, which is a very expensive and complex solution for the scenario in the question. AWS Outposts is a service that extends AWS infrastructure, services, APIs, and tools to virtually any data center, co-location space, or on-premises facility. It is designed for customers who need low latency and local data processing. Amazon S3 storage on Outposts provides a subset of S3 features and APIs to store and retrieve data on Outposts. However, this solution does not provide SMB access to the data on Outposts, which requires a Windows EC2 instance on Outposts as a file server. This adds more cost and complexity to the solution, and it does not provide the ability to access the data from AWS if a disaster occurs.

Solution B is incorrect because it uses Amazon FSx File Gateway and Amazon FSx for Windows File Server Multi-AZ file system that uses SSD storage, which are both more expensive and unnecessary services for the scenario in the question. Amazon FSx File Gateway is a service that enables on-premises applications to store and access data in Amazon FSx for Windows File Server using the SMB protocol. Amazon FSx for Windows File Server is a fully managed service that provides native Windows file shares with the compatibility, features, and performance that Windows-based applications rely on. However, this solution does not meet the requirements because it does not provide the ability to use different storage classes for the metadata files and image files, and it does not provide the ability to access the data from AWS if a disaster occurs. Moreover, using a Multi-AZ file system that uses SSD storage is overprovisioned and costly for the scenario in the question, which involves rarely accessed data that must be available within 5 minutes.

Solution D is incorrect because it uses an S3 File Gateway that uses S3 Standard-IA for both the metadata files and image files, which is not the most cost-effective solution for the scenario in the question. S3 Standard-IA is a storage class that offers high durability, availability, and performance for infrequently accessed data. However, it is more expensive than S3 Glacier Deep Archive, which is the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. Therefore, using S3 Standard-IA for the image files, which are likely to be larger and more numerous than the metadata files, is not optimal for the storage costs.

What is S3 File Gateway?

Using Amazon S3 storage classes with S3 File Gateway

Accessing your file shares from AWS

Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type " Email " that targets the team ' s mailing list. This will create a topic for sending notifications and add a subscription for the team ' s email list to that topic. C. Add a Catch field to all Task, Map, and Parallel states that have a statement of " ErrorEquals " : [ " States.ALL " ] and " Next " : " Email " . This will ensure that any errors that occur in any of the steps in the workflow will trigger the " Email " task, which will forward the inputarguments to the SNS topic created in step A. B. Create a task named " Email " that forwards the input arguments to the SNS topic. This will allow the company to send email notifications to the team ' s mailing list in case of any errors occurred in any step in the workflow.

Establish AWS Direct Connect Connections:

Step 1: Set up two AWS Direct Connect (DX) connections from the company headquarters to a chosen AWS Region. This provides a redundant and high-availability setup to ensure continuous connectivity.

Step 2: Ensure that these DX connections terminate in a specific Direct Connect location associated with the chosen AWS Region.

Use Company WAN:

Step 1: Configure the company ' s global WAN to route traffic through the established Direct Connect connections.

Step 2: This setup ensures that all traffic between the company ' s headquarters and AWS does not traverse the public internet, maintaining compliance with security requirements.

Set Up Direct Connect Gateway:

Step 1: Create a Direct Connect Gateway in the AWS Management Console. This gateway allows you to connect your Direct Connect connections to multiple VPCs across different AWS Regions.

Step 2: Associate the Direct Connect Gateway with the VPCs in the various Regions where your critical data is stored. This enables access to data in multiple Regions through a single Direct Connect connection.

By using Direct Connect and Direct Connect Gateway, the company can achieve secure, reliable, and cost-effective access to data stored across multiple AWS Regions without using the public internet, ensuring compliance with industry regulations.

References

AWS Direct Connect Documentation

Building a Scalable and Secure Multi-VPC AWS Network Infrastructure​(AWS Documentation)​​(AWS Documentation)​.

The key requirements are: OpenSearch Service must be deployed within a VPC (VPC-only access), and developers must access OpenSearch from their local machines across multiple locations, including home networks. The most suitable low-overhead approach is to provide remote users with secure client-based connectivity into the VPC so they can reach private endpoints.

AWS Client VPN is a managed client-based VPN service that allows individual users to establish secure TLS VPN connections from their devices into a VPC. By associating a Client VPN endpoint with a subnet in the VPC and configuring authorization rules and routes, developers can access private resources (including VPC-only Amazon OpenSearch Service endpoints) as if they were on the corporate network. Client VPN is designed for distributed workforces and supports users connecting from anywhere without requiring each remote location to have dedicated network appliances.

Option A matches the need for remote developer access from home and multiple offices with the least operational overhead because it is a managed service for user-based VPN access and does not require running and maintaining bastion fleets or building site-to-site networks for each location.

Option B is not correct because AWS Site-to-Site VPN is designed to connect networks (for example, an office network or data center) to AWS, not to provide individual developers remote access from arbitrary home networks. Also, instructing developers to use an OpenVPN client does not align with how Site-to-Site VPN is typically used; Site-to-Site VPN terminates on a customer gateway device, not on individual laptops.

Option C is not correct because Direct Connect is designed for dedicated private connectivity between on-premises networks and AWS. It is not a solution for individual developers connecting from home. Additionally, using a public VIF is for reaching public AWS endpoints, whereas the requirement is to keep access within a VPC. A public VIF does not provide private VPC access to VPC-only service endpoints.

Option D is not the best choice because a bastion host provides SSH access to instances, not direct, secure network-level access to VPC-only managed service endpoints from developer tools. It also increases operational overhead (patching, hardening, monitoring, scaling) and introduces additional security considerations. Developers also typically need browser-based or tool-based access to OpenSearch Dashboards, which is better served by VPN access into the VPC than SSH tunneling through a bastion host as a primary access mechanism.

Therefore, configuring AWS Client VPN to provide developers with secure connectivity into the VPC is the correct solution.

Amazon Simple Notification Service (Amazon SNS) is a fully managed pub/sub messaging service that enables users to send messages to multiple subscribers1. Users can sendevent details to an Amazon SNS topic and configure an AWS Lambda function as a subscriber to the SNS topic to process the events. Lambda is a serverless compute service that runs code in response to events and automatically manages the underlying compute resources2. Users can add an on-failure destination to the function and set an Amazon Simple Queue Service (Amazon SQS) queue as the target. Amazon SQS is a fully managed message queuing service that enables users to decouple and scale microservices, distributed systems, and serverless applications3. This way, if a processing error occurs, the event will move into the separate queue for review.

Option B is incorrect because publishing events to an Amazon SQS queue and creating an Amazon EC2 Auto Scaling group will not have the ability to scale in and out based on the number of events that the solution receives. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. Auto Scaling is a feature that helps users maintain application availability and allows them to scale their EC2 capacity up or down automatically according to conditions they define. However, for this use case, using SQS and EC2 will not take advantage of the serverless capabilities of Lambda and SNS.

Option C is incorrect because writing events to an Amazon DynamoDB table and configuring a DynamoDB stream for the table will not have the ability to move events into a separate queue for review if a processing error occurs. Amazon DynamoDB is a fully managed key-value and document database that delivers single-digit millisecond performance at any scale. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. Users can configure the stream to invoke a Lambda function, but they cannot configure an on-failure destination for the function.

Option D is incorrect because publishing events to an Amazon EventBridge event bus and setting an Application Load Balancer (ALB) as the event bus target will not have the ability to move events into a separate queue for review if a processing error occurs. Amazon EventBridge is a serverless event bus service that makes it easy to connect applications with data from a variety of sources. An ALB is a load balancer that distributes incoming application traffic across multiple targets, such as EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. Users can configure EventBridge to retry events, but they cannot configure an on-failure destination for the ALB.

The correct answer is C. This option uses AWS CloudTrail to create a trail in the organization’s management account that applies to all accounts in the organization. This way, the company can centrally manage and audit all API calls to AWS resources across multiple accounts and regions. The company also needs to create a new Amazon S3 bucket with versioning turned on to store the logs. Versioning helps protect against accidental or malicious deletion of log files by keeping multiple versions of each object in the bucket. The company also needs to enable MFA delete and encryption on the S3 bucket to further enhance the security and durability of the data store.

Option A is incorrect because it uses an existing S3 bucket in the organization’s management account to store the logs. This may not be optimal for regulatory compliance, as the existing bucket may have different permissions, encryption settings, or lifecycle policies than a dedicated bucket for CloudTrail logs.

Option B is incorrect because it requires creating a new CloudTrail trail in each member account of the organization. This adds operational overhead and complexity, as the company would need to manage multiple trails and S3 buckets across multiple accounts and regions.

Option D is incorrect because it requires configuring Amazon SNS to send log-file delivery notifications to an external management system that will track the logs. This adds unnecessary complexity and cost, as CloudTrail already provides log-file integrity validation and log-file digest delivery features that can help verify the authenticity and integrity of log files.

Utilizing an IP access control group rule with the list of public addresses from branch offices and associating it with the Amazon WorkSpaces directory is the most operationally efficient solution. This method ensures that access to WorkSpaces is restricted to specified locations, aligning with the corporate security policy. This approach offers simplicity and flexibility, especially with the potential addition of a new branch office, as updating the IP access control group is straightforward.

AWS Documentation on Amazon WorkSpaces and IP Access Control Groups provides detailed instructions on how to implement access restrictions based on IP addresses. This solution aligns with best practices for securing virtual desktops while maintaining operational efficiency.

Comprehensive and Detailed in Depth Explanation:

A is correct because AWS CodeBuild is a fully managed build service that supports running tests and security scans. EventBridge can detect test failures and send notifications via SNS. AWS CDK with manifest files is a robust way to manage feature toggles. CodePipeline supports manual approval stages to allow lead developer intervention.

The company does not have a data inventory and needs to identify which S3 buckets contain sensitive data. The appropriate AWS managed service for discovering and classifying sensitive data in S3 is Amazon Macie. Macie is designed to discover, classify, and report on sensitive data such as PII in S3 buckets. Amazon Inspector is primarily focused on vulnerability management for compute and container resources and does not provide S3 sensitive data classification in the way Macie does.

After identifying sensitive data locations, the company needs to ensure sensitive data is encrypted with a key that only administrators can access. SSE-S3 uses S3-managed keys and does not provide fine-grained administrative control of key usage in the same way as SSE-KMS with a customer managed key. Using AWS KMS customer managed keys allows the company to control access through key policies and IAM policies so that only designated administrator principals can use or manage the key.

The requirement also implies existing objects already encrypted with SSE-S3 need to be re-encrypted with SSE-KMS for sensitive objects. Changing default encryption only affects new objects. Existing objects must be rewritten (copied over themselves or copied to a new location) using SSE-KMS with the customer managed key. An orchestrated workflow is a common approach to iterate over identified objects and perform copy operations with the desired encryption settings.

Option C uses Macie for discovery, creates a KMS customer managed key restricted to administrators, sets bucket default encryption to SSE-KMS for future objects, and uses a Step Functions workflow to re-encrypt existing sensitive objects. This meets both the discovery requirement and the encryption/control requirement.

Option A is incorrect because Inspector is not the right service to inventory sensitive data in S3. Although the use of a customer managed KMS key and bucket policy enforcement is directionally correct for controlling encryption on writes, the first step (sensitive data discovery) is wrong.

Option B is incorrect because AWS managed keys cannot have their key policies modified by customers in the way customer managed keys can. Also, Inspector is not the right tool for sensitive data discovery in S3.

Option D is incorrect for the same reasons: it relies on Macie correctly for discovery but then attempts to modify an AWS managed key policy, which is not the correct method for restricting access. To restrict access, the company should use a KMS customer managed key with an appropriate key policy.

Therefore, using Amazon Macie plus an AWS KMS customer managed key and a workflow to re-encrypt existing sensitive objects is the correct solution.

 AWS Trusted Advisor is a service that provides real-time guidance to help users provision their resources following AWS best practices1. One of the Trusted Advisor checks is “Low Utilization Amazon EC2 Instances”, which identifies EC2 instances that appear to be underutilized based on CPU, network I/O, and disk I/O metrics1. This check can help users optimize the cost and size of their EC2 instances by recommending smaller or more appropriate instance types.

AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of AWS resources and generates optimization recommendations to reduce the costand improve the performance of workloads2. Compute Optimizer supports four types of AWS resources: EC2 instances, EBS volumes, ECS services on AWSFargate, and Lambdafunctions2. For EC2 instances, Compute Optimizer evaluates the vCPUs, memory, storage, and other specifications, as well as the CPU utilization, network in and out, disk read and write, and other utilization metrics of currently running instances3. It then recommends optimal instance types based on price-performance trade-offs.

Option A is incorrect because purchasing AWS Business Support or AWS Enterprise Support for the account will not directly help with cost-optimization and sizing of EC2 instances. However, these support plans do provide access to more Trusted Advisor checks than the basic support plan1.

Option C is incorrect because installing the Amazon CloudWatch agent and configuring memory metric collection on the EC2 instances will not provide any optimization recommendations by itself. However, memory metrics can be used by Compute Optimizer to enhance its recommendations if enabled3.

Option E is incorrect because creating an EC2 Instance Savings Plan for the AWS Regions, instance families, and operating systems of interest will not help with cost-optimization and sizing of EC2 instances. Savings Plans are a flexible pricing model that offer lower prices on Amazon EC2 usage in exchange for a commitment to a consistent amount of usage for a 1- or 3-year term4. Savings Plans do not affect the configuration or utilization of EC2 instances.

A is correct because:

CloudFormation templatesenable repeatable infrastructure deployment.

Route 53 latency-based routingensures users hit the closest Region.

DynamoDB global tablesallow multi-Region, active-active replication of application data.

Manual console work (B) is not scalable.

C lacks EC2/ALB replication.

D adds unnecessary services like Beanstalk and doesn’t scale cleanly.

Comprehensive and Detailed in Depth Explanation:

B is correct because RDS Proxy allows for connection pooling and improved management of DB connections. Lambda + RDS often runs into connection exhaustion during high concurrency unless RDS Proxy is used. Provisioned concurrency prevents cold starts.

D is required because the only reliable way to ensure newly launched Auto Scaling instances are patched is to make the launch template reference an AMI that already includes the latest security updates (an immutable image approach). AWS Systems Manager can automate building and maintaining patched AMIs (for example, through automated image creation workflows), after which the launch template is updated to the new AMI and the fleet is updated using Instance Refresh. Instance Refresh performs a controlled rolling replacement of instances so that the Auto Scaling group converges to the new AMI baseline.

C complements D by ensuring safe replacement and availability during the refresh/replacement process. Placing an ALB in front of the Auto Scaling group with health checks ensures that only healthy, fully bootstrapped/patched instances receive traffic, and that traffic is drained away from instances being replaced. Monitoring target health confirms the rollout is successful and minimizes risk during patch-driven reboots or instance replacement.

Why the other options are incorrect:

A: A termination policy setting does not ensure new instances are patched. It only affects which instances are terminated first. It does not solve the “launch patched instances” requirement.

B: Running two Auto Scaling groups and continuing in-place patching increases operational overhead and still risks drift and unpatched capacity when scaling occurs outside the maintenance window. It also does not address the core issue: the launch template AMI baseline.

E: NLB + termination protection does not ensure instances are patched at launch. Termination protection can interfere with Auto Scaling’s ability to replace instances, and NLB does not inherently provide the same application-layer health check behavior and deployment safety patterns typically used for rolling replacements (compared to ALB target group health checks).

S3 Transfer Acceleration is a feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket1. It works by leveraging the CloudFront edge network to route your requests to S3 over an optimized network path1. By using a Transfer Acceleration endpoint when generating a presigned URL, you can allow authenticated users to upload objects fasterand more reliably2. Additionally, using the S3 multipart upload API can improve the performance of large object uploads by breaking them into smaller parts and uploading them in parallel3.

S3 Transfer Acceleration

Using Transfer Acceleration with presigned URLs

Uploading objects using multipart upload API

AWS Control Tower provides a set of " strongly recommended guardrails " that can be enabled to implement governance and policy enforcement. One of these guardrails is " Encrypt Amazon RDS instances " which will detect RDS DB instances that are not encrypted at rest. By enabling this guardrail and applying it to the production OU, the company will be able to enforce encryption for RDS instances in the production environment.

The correct answer is D. Use a scheduled scaling policy for the EC2 instances. Host the database on an Amazon Aurora PostgreSQL Multi-AZ DB cluster. Create an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger Aurora Replica before a sale event. Fail over to the larger Aurora Replica. Create another EventBridge rule that invokes another Lambda function to scale down the Aurora Replica after the sale event.

This solution will meet the requirements of maximizing availability during the sale events. A scheduled scaling policy for the EC2 instances will allow the application to scale up and down according to the predefined schedule of the sale events. Hosting the database on an Amazon Aurora PostgreSQL Multi-AZ DB cluster will provide high availability and durability, as well as compatibility with PostgreSQL. Creating an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger Aurora Replica before a sale event will ensure that the database can handle the increased read traffic during the peak periods. Failing over to the larger Aurora Replica will make it the primary instance, which will also improve the write performance of the database. Creating another EventBridge rule that invokes another Lambda function to scale down the Aurora Replica after the sale event will reduce the cost and resources of the database.

This option allows the company to use a private repository in Amazon ECR to store and manage its Docker images securely and efficiently1. By creating a permissions policy for the repository that allows only required ECR operations, such as ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, ecr:BatchCheckLayerAvailability, ecr:PutImage, and ecr:InitiateLayerUpload2, the company can restrict access to the repository and prevent unauthorized actions. By including a condition to allow the ECRoperations if the value of the aws:PrincipalOrgID condition key is equal to the ID of the company’s organization, the company can ensure that only accounts that are within its organization can access the images3. By adding a lifecycle rule to the ECR repository that deletes all untagged images over the count of five, the company can reduce storage costs and retain only the most recent untagged images4.

Amazon ECR private repositories

Amazon ECR repository policies

Restricting access to AWS Organizations members

Amazon ECR lifecycle policies

https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html

Comprehensive and Detailed Explanation:

This question is mainly about cost optimization for two different workload patterns:

A constant-rate ingestion workload

A noncritical nightly batch analytics workload that can tolerate interruption or rerun

The most cost-effective architecture is to decouple storage from the ingestion servers, store the incoming data in Amazon S3, and run the nightly calculations by using AWS Batch on Spot Instances.

Why B is correct

Amazon Data Firehose can continuously ingest streaming data and deliver the data to Amazon S3. Because the data rate is constant, the company does not need to keep a fleet of EC2 instances running just to collect and retain data on attached EBS volumes. Using S3 as durable storage is operationally simpler and generally more cost-effective than maintaining long-running EC2 ingestion servers with EBS-based storage for this type of streaming landing zone.

For the nightly processing, the job is:

batch oriented,

takes only 4 hours,

not critical to the business,

acceptable to rerun later if interrupted.

These characteristics make Spot Instances an ideal fit. AWS Batch is specifically designed to run batch computing workloads and can efficiently provision and manage compute resources, including Spot Instances. Since the job can tolerate interruption, Spot capacity provides the lowest-cost compute option.

This option reduces cost in both major areas:

storage and ingestion are moved to managed services and object storage,

nightly compute moves from On-Demand Instances to Spot-based batch processing.

Why A is incorrect

A improves the design by moving ingestion to Data Firehose and storage to S3, which is a good step. However, it still uses EC2 On-Demand Instances for nightly processing. Because the nightly workload is not business-critical and can tolerate failure, Spot Instances are a better fit and more cost-effective than On-Demand Instances. Therefore, A is not the most cost-effective choice.

Why C is incorrect

This option keeps ingestion on a fleet of EC2 Reserved Instances with 3-year reservations behind a Network Load Balancer. That is not the most economical or simplest design for constant ingestion when a managed ingestion service such as Data Firehose can deliver directly to S3.

Also, a Network Load Balancer does not add meaningful value for the ingestion requirement described here. The issue is not distributing interactive network traffic to an application fleet. The better architecture is to use a managed data ingestion service instead of recommitting to long-term EC2 reservations.

While AWS Batch with Spot Instances is good for the nightly analytics portion, the ingestion side of this option is still more expensive and less efficient than B.

Why D is incorrect

Amazon Redshift is a data warehouse and is useful for analytical querying, but this option is not the most cost-effective for the stated use case. The company needs to ingest constant-rate streaming market data and run a nightly aggregate job. Storing all incoming data in Redshift is generally a more specialized and potentially more expensive architecture than landing the raw stream in S3 and running elastic batch processing on demand.

The Lambda part is also problematic. The batch processing currently takes 4 hours. AWS Lambda is not designed for long-running heavy batch jobs of this kind. Even if the aggregate query could be expressed in SQL, the answer is still not the most cost-effective and does not align as well with the workload pattern as S3 plus AWS Batch on Spot Instances.

Key design principles being tested

This question tests whether you can identify:

S3 as low-cost, durable storage for incoming streamed data

Managed ingestion services instead of self-managed EC2 ingestion servers

Spot Instances for interruptible, fault-tolerant batch jobs

AWS Batch as the managed orchestration service for batch workloads

Final justification

The most cost-effective redesign is to:

ingest the streaming data with Amazon Data Firehose,

store the data in Amazon S3,

run nightly analytics through AWS Batch on Spot Instances.

That makes B the best answer.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/dns-failover.html

to connect out from the private subnet you need an NAT gateway and since only one Elastic IP whitelisted on firewall its one NATGateway at time and if AZ failure happens Lambda creates a new NATGATEWAY in a different AZ using the Same Elastic IP ,dont be tempted to select D since application that needs to connect is on a private subnet whose outbound connections use the NATGateway Elastic IP

Mountpoint for Amazon S3allows EC2 instances to directly access files in S3 as aPOSIX-compliant mount point, ensuring they always get the latest data without copying or syncing.

It’s simple and cost-effective for read-heavy patterns.

Mountpoint for Amazon S3

The company has migrated an application to EC2 and will deploy it in an additional Region. The usage is expected to be stable for 3 years, but parts of the application will be redesigned over the next 2 years to use AWS Lambda. Therefore, the company will gradually shift a portion of its compute usage from EC2 to Lambda.

Savings Plans are a flexible pricing model that provide lower prices in exchange for a commitment to a consistent amount of compute usage (measured in dollars per hour) for a 1- or 3-year term. There are two main types of Savings Plans:

• Compute Savings Plans: Apply to any EC2 instance usage regardless of Region, instance family, OS, tenancy, and also apply to AWS Fargate and AWS Lambda usage.

• EC2 Instance Savings Plans: Apply only to a specific instance family in a specific Region.

In this scenario, because there will be a gradual migration from EC2-based compute to Lambda-based compute, a plan that only applies to EC2 (EC2 Instance Savings Plan) risks underutilization as more usage moves to Lambda. Compute Savings Plans, by contrast, can cover EC2 now and Lambda later, maintaining high utilization of the commitment and maximizing effective discount.

Option A recommends evaluating Savings Plans recommendations each year in AWS Cost Management and purchasing a 1-year Compute Savings Plan based on those recommendations. The Cost Management tools and Cost Explorer provide Savings Plans recommendations based on actual usage patterns. Buying 1-year Compute Savings Plans and re-evaluating annually allows the company to adjust its committed spend each year as portions of the application move from EC2 to Lambda. This approach maximizes the chance that the Savings Plans coverage matches the actual combined EC2 and Lambda usage over time and avoids being locked into an EC2-only commitment that becomes increasingly underutilized.

Option B is not optimal because it recommends a 3-year EC2 Instance Savings Plan. That commitment applies only to specific EC2 instance families in a Region and does not apply to Lambda. As the company migrates portions of its workloads to Lambda, the EC2 Instance Savings Plan may become underutilized, reducing the effective discount and potentially increasing overall cost. Compute Optimizer also does not provide Savings Plans purchase recommendations; Savings Plans recommendations come from Cost Management and Cost Explorer.

Option C uses 1-year EC2 Instance Savings Plans and adjusts the commitment each year. While this gives some flexibility, EC2 Instance Savings Plans still do not apply to Lambda usage, so over time there is a risk of underutilizing the EC2 commitment as the Lambda portion grows. This does not maximize savings relative to Compute Savings Plans, which can cover both services.

Option D proposes a 3-year EC2 Instance Savings Plan and suggests decreasing the hourly commitment during the term as workloads move to Lambda. However, Savings Plans commitments cannot be decreased during the term. The company would remain obligated to the original 3-year commitment even if EC2 usage drops, leading to wasted commitment.

Therefore, purchasing 1-year Compute Savings Plans each year based on Savings Plans recommendations from AWS Cost Management (option A) is the best strategy to maximize cost savings while the company transitions part of the workload from EC2 to Lambda.

AWS IoT Core’spre-provisioning hookallows custom logic (like serial number validation)beforea device is registered. This ensures that only installed devices connect. Lambda is ideal for such logic.

AWS IoT Just-in-Time Provisioning

https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

Set Up EventBridge Event Bus:

Step 1: Open the Amazon EventBridge console and create a custom event bus. This bus will be used to handle user deletion events.

Step 2: Name the event bus appropriately (e.g.,user-deletion-bus).

Post Events on User Deletion:

Step 1: Modify the central user service to post an event to the custom EventBridge event bus whenever a user is deleted.

Step 2: Ensure the event includes relevant details such as the user ID and any other necessary metadata.

Create EventBridge Rules for Microservices:

Step 1: For each microservice that needs to delete user data, create a new rule in EventBridge that triggers on the user deletion event.

Step 2: Define the event pattern to match the user deletion event. This pattern should include the event details posted by the central user service.

Invoke Microservice Logic:

Step 1: Configure the EventBridge rule to invoke a target, such as an AWS Lambda function, which contains the logic to delete the user data from the microservice ' s data store.

Step 2: Each microservice should have its Lambda function or equivalent logic to handle the deletion of user data upon receiving the event.

Using Amazon EventBridge ensures a scalable, reliable, and decoupled approach to handle the deletion of user data across multiple microservices. This setup allows each microservice to independently process user deletion events without direct dependencies on other services.

References

AWS EventBridge Documentation

DynamoDB Streams and AWS Lambda Triggers

Implementing the Transactional Outbox Pattern with EventBridge Pipes​(AWS Documentation)​​(Amazon Web Services, Inc.)​​(Amazon Web Services, Inc.)​​(AWS Documentation)​​(AWS Cloud Community)​.

https://docs.aws.amazon.com/autoscaling/ec2/userguide/adding-lifecycle-hooks.html

- Refer to Default Result section - If the instance is terminating, both abandon and continue allow the instance to terminate. However, abandon stops any remaining actions, such as other lifecycle hooks, and continue allows any other lifecycle hooks to complete.

https://aws.amazon.com/blogs/infrastructure-and-automation/run-code-before-terminating-an-ec2-auto-scaling-instance/

https://github.com/aws-samples/aws-lambda-lifecycle-hooks-function

https://github.com/aws-samples/aws-lambda-lifecycle-hooks-function/blob/master/cloudformation/template.yaml

it covers all the requirements mentioned in the question, it will allow collecting the detailed metrics, including process information and it provides a way to query and analyze the data using Amazon Athena.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The current CI/CD pipeline uses an IAM user with long-lived access keys stored in GitHub Actions. The new requirement is that pipelines must not use long-lived secret keys. Instead, the solution should provide short-lived credentials with minimal operational overhead.

GitHub Actions natively supports integration with cloud providers using OpenID Connect (OIDC). With OIDC, GitHub acts as an identity provider that can issue OIDC tokens to workflows. On the AWS side, IAM supports configuring an OIDC identity provider and roles that can be assumed by principals presenting valid OIDC tokens through the sts:AssumeRoleWithWebIdentity API. This pattern enables short-lived, automatically rotated credentials for CI/CD jobs without storing long-lived secrets.

In the correct solution (option B), you configure an IAM OIDC identity provider for GitHub in the AWS account. You then create a new IAM role with a trust policy that allows the Github OIDC provider to call sts:AssumeRoleWithWebIdentity, with conditions that restrict which repositories or workflows can assume the role. The existing IAM policy that grants deployment permissions is attached to that role. In GitHub Actions, you update the pipeline configuration to request an OIDC token and assume the IAM role at runtime. Each workflow run receives short-lived credentials without storing static keys, and AWS automatically handles the token verification and temporary credential issuance. This approach is the AWS-recommended pattern for integrating GitHub Actions with AWS without long-lived secrets and has low operational overhead once configured.

Option A uses SAML 2.0, which is typically used for enterprise single sign-on for users, not for GitHub Actions workflows. GitHub does not natively use SAML to obtain AWS credentials for CI/CD pipelines in the same streamlined way as OIDC, and implementing a SAML-based integration would add unnecessary complexity.

Option C introduces Amazon Cognito as an indirection layer. Although Cognito can federate with external identity providers, including social providers, using it as an intermediary to obtain temporary AWS credentials for a machine-to-machine CI/CD pipeline is not necessary when IAM OIDC federation with GitHub is directly supported. This adds additional configuration and operational overhead.

Option D uses IAM Roles Anywhere with client certificates from AWS Private CA. Roles Anywhere is designed for workloads running outside AWS that need to assume IAM roles using X.509 certificates instead of access keys. While technically possible, it requires managing private certificates, trust anchors, and a credential helper tool, which is more complex and operationally heavier than the direct OIDC integration specifically designed for GitHub Actions.

Therefore, configuring an IAM OIDC identity provider for GitHub and creating an IAM role to be assumed via sts:AssumeRoleWithWebIdentity (option B) meets the requirement to replace long-lived secret keys with short-lived credentials with the least operational overhead.

To enhance the network connectivity solution ' s availability, fault tolerance, and security in a cost-effective manner, adding a dynamic private IP AWS Site-to-Site VPN as a secondary path is a viable option. This VPN serves as a resilient backup for the Direct Connect connection, ensuring continuous data flow even if the primary path fails. Implementing MACsec (Media Access Control Security) on the Direct Connect connection further secures the data in transit by providing encryption, thus addressing the security requirement. This solution strikes a balance between cost and operational efficiency, avoiding the higher expenses associated with provisioning an additional Direct Connect connection.

AWS Documentation on AWS Direct Connect and AWS Site-to-Site VPN provides insights into setting up resilient and secure network connections. Additionally, information on MACsec offers guidance on how to implement encryption for Direct Connect connections, aligning with best practices for secure and highly available network architectures.

In the past, EBS can be attached only to one ec2 instance but not anymore but there are limitations like - it works only on io1/io2 instance types and many others as described here. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html EFS has shareable storage In terms of performance, Amazon EFS is optimized for workloads that require high levels of aggregate throughput and IOPS, whereas EBS is optimized for low-latency, random access I/O operations. Amazon EFS is designed to scale throughput and capacity automatically as your storage needs grow, while EBS volumes can be resized on demand.