CLF-C02 AWS Certified Cloud Practitioner Question and Answers

AWS CodeDeployis a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Lambda, and on-premises servers. CodeDeploy makes it easy to release new features, helps avoid downtime during application deployment, and handles the complexity of updating applications in a scalable and reliable manner.

Why other options are not suitable:

A. Amazon AppFlow: A service to automate data flows between AWS and SaaS applications, not for application deployment.

C. AWS PrivateLink: A service to securely access AWS services from your virtual private cloud (VPC), not related to application deployments.

D. Amazon EKS Distro: A Kubernetes distribution for running Kubernetes clusters, not specifically designed for automated deployments.

The AWS Well-Architected Framework is a set of six pillars and lenses that help cloud architects design and run workloads in the cloud. The six pillars are: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. Each pillar has a set of design principles and best practices that guide the architectural decisions. High availability is not a separate pillar, but a quality that can be achieved by applying the principles of the reliability pillar. Going global in minutes and continuous development are not pillars of the framework, but possible benefits of using AWS services and following the framework’s recommendations. References: AWS Well-Architected - Build secure, efficient cloud applications, AWS Well-Architected Framework, The 6 Pillars of the AWS Well-Architected Framework

In the AWS Cloud Adoption Framework (AWS CAF), theGovernanceperspective focuses on aligning IT strategy and goals with business processes, which includes managing data assets, setting up an inventory of data products, and ensuring that data cataloging and metadata management are in place. This perspective is crucial for organizing data products and services, which aligns with building a comprehensive data catalog. Other perspectives like Operations, Business, and Platform do not specifically address the management of a data catalog.

AWS KMS is the service that is used to provide encryption for Amazon EBS. AWS KMS is a managed service that enables you to easily create and control the encryption keys used to encrypt your data.Amazon EBS uses AWS KMS to encrypt and decrypt your EBS volumes and snapshots. You can choose to use either the default AWS managed CMK or your own customer managed CMK for encryption. AWS KMS also provides features such as key rotation, audit logging, and access control policies to help you manage your encryption keys and protect your data12. The other services are not used to provide encryption for Amazon EBS. AWS Certificate Manager is a service that lets you provision, manage, and deploy public and private SSL/TLScertificates for use with AWS services and your internal connected resources3. AWS Systems Manager is a service that provides a unified user interface to view and manage your AWS resources, automate common operational tasks, and apply compliance policies4. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. References: Amazon EBS encryption, AWS Key Management Service, AWS Certificate Manager, AWS Systems Manager, [AWS Config]

AWS provides the flexibility to scale resources up or down on demand, enabling companies to test new applications without making long-term commitments. This principle allows for cost efficiency and agility during testing and development. The other options do not specifically highlight the benefits of flexible, on-demand resource scaling.

Amazon EC2 (Elastic Compute Cloud)provides scalable computing capacity in the AWS Cloud, allowing customers to run virtual servers (instances) with different configurations of CPU, memory, storage, and networking capacity. This flexibility is ideal for applications that require specific infrastructure configurations, such as custom marketing and order-processing applications.

A. AWS Lambda: Incorrect, as it is a serverless compute service that automatically manages the computing resources needed to run code but does not offer the flexibility of choosing different instance types.

B. Amazon Cognito: Incorrect, as it is used for user authentication and authorization, not for deploying applications.

C. Amazon Athena: Incorrect, as it is an interactive query service for analyzing data in Amazon S3 using standard SQL.

AWS Cloud References:

Amazon EC2

AWS Snow Family is a group of devices that transport data in and out of AWS. AWS Snow Family devices are physical devices that can transfer up to exabytes of data. One exabyte is 1 000 000 000 000 megabytes. AWS Snow Family devices are designed for use in remote locations where internet connectivity is limited or unavailable. You can use these devices to collect and process data at the edge, and then ship them back to AWS for data upload. AWS Snow Family consists of three types of devices: AWS Snowcone, AWS Snowball, and AWS Snowmobile1234. References: 1: Edge Computing Devices, Secure Data Transfer - AWS Snow Family - AWS, 2: AWS Snow Family Documentation, 3: AWS Snow Family - W3Schools, 4: AWS Snow Family: Data Storage, Migration, and Computation

Amazon AppStream 2.0 and Amazon WorkSpaces are AWS services that can be used to provide managed Windows virtual desktops and applications to remote employees over secure network connections. Amazon AppStream 2.0 is a fully managed application streaming service that allows users to access Windows desktop applications from any device, without installing or managing any software. Amazon AppStream 2.0 delivers applications over an encrypted connection and isolates them from the underlying infrastructure, ensuring security and compliance1. Amazon WorkSpaces is a fully managed desktop virtualization service that allows users to access Windows or Linux desktops from any device, with a consistent user experience. Amazon WorkSpaces provides persistent, cloud-based virtual desktops that can be customized and scaled according to the user’s needs. Amazon WorkSpaces also offers encryption, backup, and monitoring features to ensure security and reliability2. References:

Amazon AppStream 2.0

Amazon WorkSpaces

AWS Organizations is the AWS service or feature that allows users to create new AWS accounts, group multiple accounts to organize workflows, and apply policies to groups of accounts. AWS Organizations enables users to centrally manage and govern their AWS environment across multiple accounts. Users can create organizational units (OUs) to group accounts based on their business needs, such as by function, project, or region. Users can also apply service control policies (SCPs) toOUs or individual accounts to define the permissions and restrictions for the AWS services and resources that they can access. AWS Organizations also offers features such as consolidated billing, account creation automation, and trusted access12. References:

AWS Organizations

What is AWS Organizations?

Amazon Kendra is a highly accurate and easy to use intelligent search service powered by machine learning. It enables users to easily find the content they are looking for, even when it is scattered across multiple locations and content repositories within their organization. Amazon Kendra supports natural language queries, and can search fortext in documents stored in Amazon S3, as well as other sources such as SharePoint, OneDrive, Salesforce, ServiceNow, and more1.

Amazon Rekognition is a computer vision service that makes it easy to add image and video analysis to applications. It can detect objects, faces, text, scenes, activities, and emotions in images and videos. However, it is not designed for searching for text in documents stored in Amazon S32.

Amazon Polly is a text-to-speech service that turns text into lifelike speech. It can create audio versions of books, articles, podcasts, and more. However, it is not designed for searching for text in documents stored in Amazon S33.

Amazon Lex is a service for building conversational interfaces using voice and text. It can create chatbots that can interact with users using natural language. However, it is not designed for searching for text in documents stored in Amazon S34.

A Network Access Control List (ACL) is a stateless network filtering mechanism provided by AWS for controlling traffic in and out of subnets within a VPC. Unlike security groups, which are stateful, network ACLs are stateless. This means that they do not automatically allow responses to inbound traffic unlessexplicitly specified. Network ACLs allow you to set rules for both inbound and outbound traffic, making them suitable for stateless filtering. Security groups, on the other hand, are stateful, while AWS WAF is primarily for web application-level security. AWS PrivateLink is used for privately connecting VPCs to AWS services without using an internet gateway. Therefore, for stateless network filtering, Network ACL is the correct choice.

AWS Trusted Advisoris a service that provides real-time guidance to help you provision your resources following AWS best practices. It offers checks in five categories: cost optimization, performance, security, fault tolerance, and service limits. By continuously monitoring the AWS environment, AWS Trusted Advisor helps ensure that additional developments, integrations, changes, and growth do not jeopardize the optimized infrastructure by providing ongoing optimization and security recommendations.

B. AWS Health Dashboard: Incorrect, as it provides personalized view of service health and status updates but does not offer continuous optimization and security advice.

C. Amazon Connect: Incorrect, as it is a contact center service, not related to infrastructure optimization or security.

D. AWS Systems Manager: Incorrect, as it provides operational insights and management for AWS resources but is not specifically focused on ongoing optimization and security checks.

AWS Cloud References:

AWS Trusted Advisor

When a company moves from on-premises IT architecture to the AWS Cloud, it gains several benefits:

A. Reduced or eliminated tasks for hardware troubleshooting, capacity planning, and procurement: In an on-premises environment, companies must maintain their own hardware, which involves procuring servers, configuring them, managing capacity, and troubleshooting hardware failures. Moving to the AWS Cloud eliminates or greatly reduces these tasks since AWS is responsible for the underlying infrastructure.

E. Faster deployment of new features and applications: AWS provides scalable resources and automation tools that allow companies to deploy applications faster. Services like AWS Elastic Beanstalk, AWS CloudFormation, and AWS Lambda help streamline the deployment process, enabling quicker time-to-market for new features and applications.

Why other options are not suitable:

B. Elimination of the need for trained IT staff: While the cloud reduces certain operational burdens, it does not eliminate the need for skilled IT professionals to manage cloud services, ensure proper configurations, handle security, and manage applications.

C. Automatic security configuration of all applications that are migrated to the cloud: AWS provides security tools and services, but security configurations and management still require input from the customer to tailor them to specific application requirements.

D. Elimination of the need for disaster recovery planning: While AWS offers robust disaster recovery options, companies must still plan and implement disaster recovery strategies, such as backups and multi-region deployments.

Agility is the AWS Cloud benefit that gives a company the ability to quickly deploy cloud resources to access compute, storage, and database infrastructures in a matter of minutes. Agility means that you can reduce the time to make IT resources available to your developers from weeks to just minutes, resulting in a dramatic increase in innovation and responsiveness1. AWS provides a range of services and tools that enable you to launch, scale, and manage your cloud applications with ease and speed, such as AWS CloudFormation, AWS Elastic Beanstalk, AWS CodeDeploy, and AWS Quick Starts2345. References:

Six advantages of cloud computing - Overview of Amazon Web Services

[AWS CloudFormation]

[AWS Elastic Beanstalk]

[AWS CodeDeploy]

AWS Quick Starts

Refactoring involves re-architecting and modifying an application to take advantage of cloud-native features. In this case, the company wants to modernize a monolithic application by breaking it into microservices. This process aligns with the Refactor strategy, which is aimed at modernizing and re-architecting applications. Rehost, Repurchase, and Replatform do not involve the level of re-architecting needed to move from a monolithic to a microservices architecture.

According to theAWS Shared Responsibility Model, AWS is responsible for the security "of" the cloud (such as protecting the infrastructure, including hardware, software, networking, and facilities that run AWS Cloud services). In contrast, customers are responsible for security "in" the cloud. This includes configuring and using AWS services securely.

D. Use AWS Identity and Access Management (IAM) according to the principle of least privilegeis a customer's responsibility. Customers must manage their credentials, control access to resources, and ensure that IAM policies follow the principle of least privilege, which means granting only the permissions necessary to perform a task.

Why other options are not suitable:

A. Patch the Amazon DynamoDB operating system: AWS is responsible for managing and patching the infrastructure for managed services like DynamoDB.

B. Secure Amazon CloudFront edge locations by allowing physical access according to the principle of least privilege: AWS handles physical security of its edge locations.

C. Protect the hardware that runs AWS services: AWS is responsible for protecting the physical hardware that runs AWS services.

According to the AWS shared responsibility model, AWS is responsible for protecting the infrastructure that runs all ofthe services offered in the AWS Cloud, such as data centers, hardware, software, networking, and facilities1. This includes the configuration of infrastructure devices, such as routers, switches, firewalls, and load balancers2. Customers are responsible for managing their data, applications, operating systems, security groups, and other aspects of their AWS environment1. Therefore, options A, B, and D are customer responsibilities, not AWS responsibilities. References: 1: AWS Well-Architected Framework - Elasticity; 2: Reactive Systems on AWS - Elastic

AWS CloudFormation allows users to define and deploy infrastructure as code, creating highly repeatable and consistent configurations across environments. It uses templates to automate the provisioning and management of resources. CodeDeploy focuses on application deployment, and Systems Manager offers operational management, but neither provides templated infrastructure deployment at the same level as CloudFormation.

Cost Explorer enables visualization and analysis of AWS costs and usage over specific time periods. It provides detailed reports, trends, and forecasts for cost management. Consolidated billing and AWS Organizations are useful for billing management across accounts, while AWS Budgets helps set spending thresholds but does not provide visualization tools for cost and usage.

The company should deploy the EC2 instances across multiple Availability Zones to design a highly available application. Availability Zones are isolated locations within an AWS Region that are engineered to be fault-tolerant and operate independently of each other. By deploying the EC2 instances across multiple Availability Zones, the company can ensure that their application can withstand the failure of an entire Availability Zone and continue to operate with minimal disruption. Deploying the EC2 instances across multiple edge locations, VPCs, or AWS accounts will not provide the same level of availability and fault tolerance as Availability Zones. Edge locations are part of the Amazon CloudFront service, which is a content delivery network (CDN) that caches and serves webcontent to users. VPCs are virtual networks that isolate the AWS resources within an AWS Region. AWS accounts are the primary units of ownership and access control for AWS resources12

Compute Savings Plans provide the most flexibility and help to reduce your costs by up to 66%. These plans automatically apply to EC2 instance usage regardless of instance family, size, AZ, Region, OS or tenancy, and also apply to Fargate or Lambda usage. For example, with Compute Savings Plans, you can change from C4 to M5 instances, shift a workload from EU (Ireland) to EU (London), or move a workload from EC2 to Fargate or Lambda at any time and automatically continue to pay the Savings Plans price.

https://aws.amazon.com/savingsplans/compute-pricing/

The reliability pillar of the AWS Well-Architected Framework includes the principle of testing recovery procedures to ensure systems can effectively recover from failures. Regular testing of recovery processes helps verify that systems are resilient and can handle potential disruptions. The other options align with different pillars like cost optimization and operational excellence.

AWS Marketplace is a digital catalog that offers third-party software, including security solutions like intrusion detection systems, which can be deployed directly within an AWS environment. By using AWS Marketplace, companies can find, purchase, and deploy ISP intrusion detection systems or other security tools that meet their specific requirements. Other services, such as AWS Security Hub and Quick Starts, do not directly provide third-party application deployment.

The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. The operational excellence pillar focuses on the ability to run workloads effectively, gain insight into operations, and continuously improve supporting processes and procedures. Therefore, the correct answer is C. You can learn more about the AWS Well-Architected Framework and its pillars.

AWS Shared Responsibility Model Overview:

AWS manages securityofthe cloud, including physical infrastructure and foundational services.

Customers are responsible for securityinthe cloud, which includes operating system configuration, data encryption, and application patch management.

Why Patch Management Is Shared:

AWS is responsible for patching the underlying infrastructure.

Customers are responsible for patching the operating system and applications they install on their resources (e.g., EC2 instances).

Why Other Options Are Incorrect:

A. Configuration of Amazon EC2 instance operating systems:Fully the customer’s responsibility.

B. Application file system server-side encryption:Customers configure and manage encryption.

D. Security of the physical infrastructure:Fully AWS’s responsibility.

AWS Budgets is a service that allows you to set custom budgets for your AWS costs and usage, and receive alerts via email or Amazon SNS notifications if you exceed or are forecasted to exceed your budgeted amount1. You can create budgets based on different dimensions, such as service, linked account, tag, or purchase option, and define various types of alerts, such as actual, forecasted, or RI utilization alerts2. You can also configure custom actions to automatically execute remediation tasks or workflows when a budget threshold is breached3. AWS Budgets is the only service among the options that can send alerts to customers if custom spending thresholds are exceeded. The other options are not AWS services that provide this functionality.

AWS Direct Connect provides a dedicated, low-latency, and consistent network connection between on-premises data centers and AWS. This private connection minimizes latency and improves network stability compared to a public internet connection or VPN. AWS Direct Connect is ideal for applications requiring real-time data transfer with minimal latency.

Amazon S3 Glacier Deep Archive is the lowest-cost storage class in the cloud. It is designed for long-term data archiving that is rarely accessed. It offers a retrieval time of 12 hours and a durability of 99.999999999% (11 9’s). It is ideal for data that must be retained for 7 years or longer to meet regulatory compliance requirements.

Network ACLs (NACLs) are subnet-level firewalls in AWS, controlling inbound and outbound traffic for VPC subnets. They provide an additional layer of security by allowing or denying traffic based on IP protocol, source and destination IP, and port. Security groups operate at the instance level, while Traffic Mirroring and Internet Gateways do not function as firewalls at the subnet level.

Enforcing multi-factor authentication (MFA) for privileged users enhances account security by requiring a second form of authentication. It reduces the risk of unauthorized access, even if credentials are compromised. Removing the root account is not possible, and creating access keys for the root account or privileged users can increase security risks rather than reduce them.

AWS Budgets allows organizations to set custom cost and usage budgets and receive notifications when they exceed predefined thresholds. This feature helps the finance department monitor spending and manage budget forecasts effectively. AWS Cost and Usage Reports and Cost Explorer provide detailed billing data but do not include budget notifications. Consolidated billing in AWS Organizations is useful for aggregating billing across accounts but does not provide budget alerts.

The AWS Cloud is cost-effective for dynamic workloads because of its elasticity, allowing resources to scale up or down based on demand, and its pay-as-you-go pricing, which enables companies to pay only for what they use. Reliability, security, and high availability are also benefits of AWS, but they do not specifically relate to cost-effectiveness in the context of dynamic workloads.

The Amazon EC2 Reserved Instance Marketplace allows customers to sell unused Standard Reserved Instances to other AWS users. This enables companies to recoup some of the costs if they no longer need certain RIs. Standard RIs cannot be converted to Savings Plans, and AWS Support does not facilitate the resale of RIs directly.

AWS Direct Connect is a service that establishes a dedicated network connection between your on-premises network and one or more AWS Regions. AWS Direct Connect can be used to create a private connection between an on-premises workload and an AWS Cloud workload, bypassing the public internet and reducing network costs, latency, and bandwidth issues. AWS Direct Connect can also provide increased security and reliability for your hybrid cloud applications and data transfers. References:

AWS Direct Connect

What is AWS Direct Connect?

AWS Direct Connect User Guide

Spot Instances offer the lowest cost for Amazon EC2 and are suitable for non-production workloads like development and testing where occasional unavailability is acceptable. Spot Instances take advantage of unused EC2 capacity at a reduced cost, making them ideal for environments that can tolerate interruptions. Reserved or On-Demand Instances would be more expensive for this scenario, and Dedicated Hosts are not cost-effective for non-production environments.

AWS Technical Account Managers (TAMs) are available to customers who subscribe to either theAWS Enterprise On-RamporAWS Enterprise Supportplans. TAMs provide proactive guidance and ongoing support, assisting with architecture reviews, operational performance improvements, and business reviews. TheBasicandDeveloperSupport plans do not include access to TAMs, and whileBusiness Supportoffers enhanced technical support, it does not include TAMs either.

Amazon EventBridge Overview:

EventBridge is a serverless event bus that enables applications to react to changes in AWS resources.

It supports routing events such as EC2 state changes to various targets, including AWS Step Functions.

How EventBridge Meets the Requirement:

EventBridge can capture the EC2 instance state change event and trigger the execution of a Step Functions workflow.

The integration is seamless and supports workflows triggered by multiple event sources.

Why Other Options Are Incorrect:

A. Amazon SageMaker:Used for building, training, and deploying machine learning models; not related to event triggers.

B. Amazon Connect:A cloud-based contact center service; unrelated to event triggers.

D. AWS Fargate:A compute engine for containers; does not manage events or invoke workflows.

Under the AWS shared responsibility model, AWS is responsible for managing the underlying infrastructure, including operating system-level updates on managed services like Amazon RDS. Customers are responsible for managing the database instance and configurations, but AWS handles OS updates for the infrastructure supporting RDS.

Amazon Aurora (with PostgreSQL compatibility) and Amazon EC2 can both host PostgreSQL databases. Aurora is a managed database service that provides a fully compatible PostgreSQL environment with automated management. EC2 can also host PostgreSQL, but it requires more manual setup and maintenance. Amazon S3 and EFS do not host databases, and Amazon OpenSearch Service is intended for search and analytics, not relational databases.

Scaling horizontally, or adding more instances of resources rather than increasing the size of a single instance, is a core principle of the Performance Efficiency pillar of the AWS Well-Architected Framework. It enables applications to handle increasing loads by distributing traffic across multiple resources. Other options, such as serverless architectures, managed services, and cost measurement, align with other pillars of the framework.

AWS Migration Hub assists users in planning and tracking the progress of their server and application migrations. It centralizes migration tracking across various AWS services, providing visibility into application inventory and migration status. While AWS Application Migration Service also assists with migrations, Migration Hub is specifically designed for tracking migration data comprehensively.

AWS Enterprise Support provides strategic planning assistance, infrastructure event management, and real-time support, which are necessary for business-critical applications. Trusted Advisor and APN do not offer direct strategic support, and while AWS Professional Services can assist with complex solutions, Enterprise Support specifically includes ongoing operational support and event management.

AWS Elastic Beanstalk is a managed service that facilitates the deployment and management of applications in the AWS Cloud. It supports multiple programming languages and frameworks, allowing users to deploy web applications without managing the underlying infrastructure. Elastic Beanstalk automatically handles deployment, capacity provisioning, load balancing, and auto-scaling. The other services listed, like CodeGuru, Fargate, and CodeCommit, do not provide full application deployment and management capabilities.

Amazon CloudFront is a content delivery network (CDN) that uses edge locations to cache content closer to users, reducing latency and improving performance. It supports the delivery of web content, such as videos and images, by caching copies at edge locations around the world. Amazon Kinesis, SQS, and Route 53 do not utilize edge locations for content caching.

AWS IAM Identity Center (formerly AWS Single Sign-On) provides centralized management of user access to multiple AWS accounts within an organization in AWS Organizations. It allows users to log in once and gain access to all assigned accounts without managing separate logins for each account. Amazon Cognito is generally used for application-level user management and authentication, not for managing access across AWS accounts.

AWS Artifact Overview:

AWS Artifact is a service that provides on-demand access to AWS compliance documentation and agreements.

It includes reports such as PCI DSS, SOC, and ISO certifications.

How AWS Artifact Meets the Requirement:

The PCI DSS compliance documentation can be downloaded directly from the Artifact console.

Artifact helps customers demonstrate compliance to auditors by providing official certifications and attestations.

Why Other Options Are Incorrect:

B. AWS Organizations:Used for managing accounts, not compliance reports.

C. AWS Trusted Advisor:Offers best practice checks but does not provide compliance documentation.

D. AWS Support Center:Provides customer support and ticket management but not compliance documentation.

AWS Fargate and Amazon S3 are both serverless services. Fargate allows users to run containers without managing the underlying infrastructure, while S3 provides object storage without the need for provisioning or managing servers. Amazon EC2, Amazon Managed Streaming for Apache Kafka, and Amazon EMR involve server management to varying degrees and are not serverless by nature.

The AWS Architecture Center provides examples, best practices, and architectural blueprints for various AWS Cloud solutions. It includes whitepapers, reference architectures, and detailed diagrams to help users design secure, scalable, and reliable applications on AWS. Other services like AWS Marketplace, Service Catalog, and Trusted Advisor do not offer solution design examples.

AWS Organizations Overview:

AWS Organizations allows a company to manage multiple AWS accounts under a single organization.

Through the feature of consolidated billing, a company can receive a single bill for all linked accounts.

Key Features of Consolidated Billing in AWS Organizations:

Aggregates usage across accounts to take advantage of volume pricing discounts.

Provides detailed cost reports for individual linked accounts.

Simplifies payment processing by centralizing billing.

Why Other Options Are Incorrect:

A. AWS Billing and Cost Management console:Used for managing budgets and payments but does not set up consolidated billing.

C. AWS Cost and Usage Report:Provides detailed cost and usage reports but does not set up consolidated billing.

D. AWS Systems Manager:Focuses on operational management, not billing.

AWS Lambda is a serverless compute service that is ideal for applications with short-running processes and low-frequency invocation, as it only charges for the compute time consumed. Since the application is invoked only a few times a day and runs for less than 5 minutes, Lambda is the most cost-effective option. ECS, EKS, and EC2 are better suited for more persistent workloads and would be more costly in this use case.

Migration Evaluator is an AWS service that provides a customized assessment of your current on-premises environment and helps you build a data-driven business case for migration to AWS. Migration Evaluator collects and analyzes data from your on-premises servers, such as CPU, memory, disk, network, and utilization metrics, and compares them with the most cost-effective AWS alternatives. Migration Evaluator also helps you understand your existing software licenses and running costs, and provides recommendations for Bring Your Own License (BYOL) and License Included (LI) options in AWS. Migration Evaluator generates a detailed report that shows your projected running costs in the AWS Cloud, along with potential savings and benefits. You can use this report to support your decision-making and planning for cloud migration. References: Cloud Business Case & Migration Plan - Amazon Migration Evaluator - AWS, Getting started with Migration Evaluator

AWS CloudTrail is the service that can be used to meet these requirements. AWS CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, therequest parameters, and the response elements returned by the AWS service1. You can use CloudTrail to track the activity in your AWS accounts, such as who made an API call, when it was made, and what resources were affected. You can also use CloudTrail to monitor thecompliance, security, and governance of your AWS environment2. The other services are not designed to track the activity and API calls in your AWS accounts. Amazon CloudWatch is a servicethat monitors and collects metrics, logs, and events from your AWS resources and applications. You can use CloudWatch to set alarms, visualize data, and automate actions based on predefined thresholds or rules3. Amazon Inspector is a service that helps you improve the security and compliance of your applications running on AWS. Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices4. AWS IAM is a service that enables you to manage access to AWS services and resources securely. IAM allows you to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. References: AWS CloudTrail, AWS CloudTrail – Capture AWS API Activity, Amazon CloudWatch, Amazon Inspector, [AWS IAM]

AWS WAF is a web application firewall that helps protect applications from SQL injection attacks and other common web exploits. By defining rules to block, allow, or monitor specific types of requests, AWS WAF provides an effective defense against SQL injection. Network ACLs and Security Groups provide network-level security but do not inspect web traffic for specific attack patterns like SQL injection.

The security best practices that should be followed are A and E.

A. Grant the developer access to only the AWS resources needed to perform the job. This is an example of the principle of least privilege, which means giving the minimum permissions necessary to achieve a task. This reduces the risk of unauthorized access, data leakage, or accidental damage to AWS resources.You canuse AWS Identity and Access Management (IAM) to create users, groups, roles, and policies that grant fine-grained access to AWS resources12.

E. Ensure the account password policy requires a minimum length. This is a basic security measure that helps prevent brute-force attacks or guessing of passwords. A longer password is harder to crack than a shorter one.You can use IAM to configure apassword policy that enforces a minimum password length, as well as other requirements such as complexity, expiration, and history34.

B. Share the AWS account root user credentials with the developer. This is a bad practice that should be avoided. The root user has full access to all AWS resources and services, and can perform sensitive actions such as changing billing information, closing the account, or deleting all resources. Sharing the root user credentials exposes your account to potential compromise or misuse.You should never share your root user credentials with anyone, and use them only for account administration tasks5.

C. Add the developer to the administrator’s group in IAM. This is also a bad practice that should be avoided. The administrator’s group has full access to all AWS resources and services, which is more than what a developer needs to perform their job. Adding the developer to the administrator’s group violates the principle of least privilege and increases the risk of unauthorized access, data leakage, or accidental damage to AWS resources.You should create a custom group for the developer that grants only the necessary permissions for their role12.

D. Configure a password policy that ensures the developer’s password cannot be changed. This is another bad practice that should be avoided. Preventing the developer from changing their password reduces their ability to protect their credentials and comply with security policies. For example, if the developer’s password is compromised, they cannot change it to prevent further unauthorized access. Or if the company requires periodic password rotation, they cannot update their password to meet this requirement.You should allow the developer to change their password as needed, and enforce a password policy that sets reasonable rules for password management34.

 AWS Personal Health Dashboard and AWS Service Health Dashboard are two AWS services that can help the company to verify that underlying AWS services and general AWS infrastructure are operating normally. AWS Personal Health Dashboard provides a personalized view into the performance and availability of the AWS services you are using, as well as alerts that are automatically triggered by changes in the health of those services. In addition to event-based alerts, Personal Health Dashboard provides proactive notifications of scheduled activities, such as any changes to the infrastructure powering your resources, enabling you to better plan for events that may affect you. These notifications can be delivered to you via email or mobile for quick visibility, and can always be viewed from within the AWS Management Console. When you get an alert, it includes detailed information and guidance, enabling you to take immediate action to address AWS events impacting your resources3. AWS Service Health Dashboard provides a general status of AWS services, and the Service health view displays the current and historical status of all AWS services. This page shows reported service events for services across AWS Regions. You don’t need to sign in or have an AWS account to access the AWS Service Health Dashboard – Service health page. You can also subscribe to RSS feeds for specific services or regions to receive notifications about service events4. References: Gettingstarted with your AWS Health Dashboard – Your account health, Introducing AWS Personal Health Dashboard

 The AWS shared responsibility model describes the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the hardware, software, networking, and facilities that run AWS services. The customer is responsible for security in the cloud, which includes the customer data, applications, operating systems, and network and firewall configurations. Therefore, updating the guest operating system on Amazon EC2 instances is the customer’s responsibility2

According to the AWS shared responsibility model, the customer is responsible for security in the cloud, which includes the tasks of configuring the AWS provided security group firewall and classifying company assets in the AWS Cloud. A security group is a virtual firewall that controls the inbound and outbound traffic for one or more EC2 instances. The customer must configure the security group rules to allow or deny traffic based on protocol, port, or source and destination IP address2 Classifying company assets in the AWS Cloud means identifying the types, categories, and sensitivity levels of the data and resources that the customer stores and processes on AWS. The customer must also determine the applicable compliance requirements and regulations that apply to their assets, and implement the appropriate security controls and measures to protect them

The AWS services that are supported by Savings Plans are:

Amazon EC2: Amazon EC2 is a service that provides scalable computing capacity in the AWS cloud. You can use Amazon EC2 to launch virtual servers, configure security and networking, and manage storage. Amazon EC2 is eligible for both Compute Savings Plans and EC2 Instance Savings Plans12.

Amazon SageMaker: Amazon SageMaker is a service that helps you build and deploy machine learning models. You can use Amazon SageMaker to access Jupyter notebooks, use common machine learning algorithms, train and tune models, and deploy them to a hosted environment. Amazon SageMaker is eligible for SageMaker Savings Plans13.

The other options are not supported by Savings Plans. Amazon RDS, Amazon Redshift, and Amazon DynamoDB are database services that are eligible for Reserved Instances, but not Savings Plans4.

 To make a subnet public, the company should use an Amazon VPC internet gateway and an Amazon VPC route table. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. To enable internet access for a subnet, you need to attach an internet gateway to your VPC and add a route to the internet gateway in the route table associated with the subnet.

This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing failure scenarios regularly and validating the understanding of the impact of potential failures. The operational excellence pillar covers the best practices for designing, running, monitoring, and improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the system’s resilience, reliability, and recovery. You can learn more about the operational excellence pillar from this whitepaper or this digital course.

Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size4. AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

 AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely. You can use IAM to perform the following actions:

Control access to AWS service APIs and to other specific resources: You can create users, groups, roles, and policies that define who can access which AWS resources and how. You can also use IAM to grant temporary access to users or applications that need to perform certain tasks on your behalf3

Protect the AWS environment using multi-factor authentication (MFA): You can enable MFA for your IAM users and root user to add an extra layer of security to your AWS account. MFA requires users to provide a unique authentication code from an approved device or SMS text message, in addition to their user name and password, when they sign in to AWS4

Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of use cases, including backup and archive, big data analytics, disaster recovery, and cloud applications. Amazon S3 offers 99.999999999% (11 9’s) of durability, meaning that data is designed to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes with different price and performance characteristics, such as S3 Glacier and S3 Glacier Deep Archive, which are ideal for long-term archival of data that is rarely accessed. AWS Snowball, AWS Storage Gateway, and Amazon Kinesis are not designed to provide the same level of durability and cost-effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3

 Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data sources, such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious activities and unauthorized actions, such as reconnaissance, instance compromise, account compromise, and data exfiltration. Amazon GuardDuty can also detect threats to your data stored in Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon GuardDuty generates findings that summarize the details of the detected threats and provides recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are not the best services to meet this requirement. AWS Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows you to centrally configure and manage firewall rules across your accounts and resources. Amazon Inspector is a service that assesses the security and compliance of your applications running on EC2 instances.

The AWS Enterprise Support Concierge team is a group of billing and account experts who specialize in working with enterprise customers. They can help customers with questions about billing, account management, cost optimization, and other non-technical issues. They can also assist customers with navigating and optimizing their AWS environment, such as setting up consolidated billing, applying for service limit increases, or requesting refunds.

AWS Direct Connect is a service that provides a dedicated network connection from on premises to the AWS Cloud. It can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. It can also provide low latency for applications that require real-time data transfer4. Amazon VPC is a service that provides a logically isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that they define. Amazon Kinesis Data Streams is a service that provides a scalable and durable stream of data records for real-time data processing. Amazon OpenSearch Service is a service that provides a fully managed, scalable, and secure search and analytics solution that is compatible with Elasticsearch.

Amazon EC2 Auto Scaling is an AWS service that can help users reduce the number of Amazon EC2 instances that run when application usage is low. Amazon EC2 Auto Scaling allows users to create scaling policies that automatically adjust the number of EC2 instances based on the demand or a schedule. EC2 Instance Savings Plans, Spot Instances, and Reserved Instances are instance purchasing options that can help users save money on EC2 usage, but they do not automatically scale the number of instances according to the application usage .

AWS Artifact is the AWS service or tool that provides on-demand access to AWS security and compliance reports and AWS online agreements. AWS Trusted Advisor is a tool that provides real-time guidance to help users provision their resources following AWS best practices. Amazon Inspector is a service that helps users improve the security and compliance of their applications. AWS Billing console is a tool that helps users manage their AWS costs and usage. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

AWS Professional Services is a team of experts that help customers achieve their desired outcomes using the AWS Cloud. One of the benefits that AWS Professional Services provides is advisory solutions for AWS adoption, which include guidance on cloud strategy, architecture, migration, and innovation2. Management of the ongoing security of user data, technical support 24 hours a day, 7days a week, and monitoring of monthly billing costs in AWS accounts are not benefits that AWSProfessional Services provides, as they are either the responsibility of the customer or the features of other AWS services or support plans3

Convertible Reserved Instances (RIs) are a type of Reserved Instance that allow you to change the attributes of the RI as long as the exchange results in the creation of Reserved Instances of equal or greater value. You can exchange Convertible RIs for other Convertible RIs from a different instance family, size, platform, tenancy, or scope (Region or Availability Zone)3.

AWS Business Support is the most cost-effective AWS Support plan that provides chat access to a cloud support engineer 24/7. AWS Business Support also offers phone and email support, as well as a response time of less than one hour for urgent issues. AWS Business Support does not include access to infrastructure event management, which is a feature of AWS Enterprise Support. AWS Enterprise Support is more expensive and provides additional benefits, such as a technical account manager, a support concierge, and a response time of less than 15 minutes for critical issues. AWS Developer Support and AWS Basic Support do not provide chat access to a cloud support engineer. AWS Developer Support provides email support and a response time of less than 12 hours for general guidance issues. AWS Basic Support provides customer service and account support, as well as access to forums and documentation1

A is correct because Amazon Lex is the AWS service that helps users build conversational interfaces into applications using voice and text. B is incorrect because Amazon Transcribe is the AWS service that helps users convert speech to text. C is incorrect because Amazon Comprehend is the AWS service that helps users analyze text using natural language processing. D is incorrect because Amazon Timestream is the AWS service that helps users collect, store, and process time series data.

 Amazon QuickSight is an AWS service that provides business intelligence and data visualization capabilities. Amazon QuickSight enables you to ingest, analyze, and display data from various sources, such as AWS Cost and Usage Reports, Amazon S3, Amazon Athena, Amazon Redshift, and Amazon RDS. You can use Amazon QuickSight to create interactive dashboards and charts that show insights and trends from your data. You can also share your dashboards and charts with other users or embed them into your applications.

AWS Elastic Beanstalk is the AWS service that allows customers to deploy applications in the AWS Cloud as quickly as possible. AWS Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, and auto-scaling to application health monitoring. Customers can upload their code and Elastic Beanstalk will take care of the rest1. AWS Elastic Beanstalk also minimizes the complexity that is related to the management of AWS resources. Customers can retain full control of the underlying AWS resources powering their applications and adjust the settings to suittheir needs1. Customers can also use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or APIs to manage their applications1.

AWS Config is the AWS service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records the configuration changes of the resources and evaluates them against desired configurations or best practices2. AWS Config does not help customers deploy applications in the AWS Cloud as quickly as possible or minimize the complexity that is related to the management of AWS resources.

Amazon EC2 is the AWS service that provides secure, resizable compute capacity in the cloud. Customers can launch virtual servers called instances and choose from various configurations of CPU, memory, storage, and networking resources3. Amazon EC2 does not automatically handle the deployment or management of AWS resources for customers. Customers have to manually provision, configure, monitor, and scale their instances and other related resources.

Amazon Personalize is the AWS service that enables customers to create personalized recommendations for their users based on their behavior and preferences. Amazon Personalize uses machine learning to analyze data and deliver real-time recommendations4. Amazon Personalize does not help customers deploy applications in the AWS Cloud as quickly as possible or minimize the complexity that is related to the management of AWS resources.

AWS Storage Gateway is a hybrid cloud storage service that allows you to extend your on-premises file storage capabilities to the AWS Cloud. AWS Storage Gateway file gateway enables you to store and access your files in Amazon S3 using industry-standard file protocols such as NFS and SMB. File gateway caches frequently accessed files locally, providing low-latency access to your data. File gateway also optimizes the transfer of data between your on-premises environment and AWS, minimizing the amount of bandwidth consumed. By using file gateway, you can retain the performance benefit of sharing content locally while leveraging the scalability, durability, and cost-effectiveness of Amazon S3. References: AWS Storage Gateway, File Gateway

Reserved Instances are a pricing model that offers significant discounts on Amazon EC2 usage compared to On-Demand Instances. Reserved Instances are suitable for stateful workloads that have predictable and consistent usage patterns for a long-term period. By committing to a one-year or three-year term, customers can reduce their total cost of ownership and optimize their cloud spend. Reserved Instances also provide capacity reservation, ensuring that customers have access to the EC2 instances they need when they need them. References: AWS Pricing Calculator, Amazon EC2 Pricing, [AWS Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]

AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. You can use AWS Artifact to download AWS service audit reports, such as ISO, PCI, and SOC, and to accept and manage agreements with AWS, such as the Business Associate Addendum (BAA).

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config can help you determine when an EBS volume was removed from an EC2 instance by providing a timeline of configuration changes and compliance status. AWS Trusted Advisor, Amazon Timestream, and Amazon QuickSight do not provide the same level of configuration tracking and auditing as AWS Config. Source: AWS Config

AWS Budgets is a service that helps you plan your service usage, service costs, and instance reservations, and track how close your plan is to your budgeted amount. You can set custom budgets that alert you when you exceed (or are forecasted to exceed) your budgeted thresholds. You can also use AWS Budgets to set a maximum spending limit on AWS services each month and set up alerts for when you reach your spending limit. Cost Explorer is a service that enables you to visualize, understand, and manage your AWS costs and usage over time. You can use Cost Explorer to view charts and graphs that show how your costs are trending, identify areas that need further inquiry, and see the impact of your cost management actions. However, Cost Explorer does not allow you to set a maximum spending limit or alerts for your AWS services. AWS Trusted Advisor is a service that provides you real time guidance to help you provision your resources following AWS best practices, including security and performance. It can help you monitor for cost optimization opportunities, such as unused or underutilized resources, but it does not allow you to set a maximum spending limit or alerts for your AWS services. Service Quotas is a service that enables you to view and manage your quotas, also referred to as limits, from a central location. Quotas, also referred to as limits, are the maximum number of resources that you can create in your AWS account. However, Service Quotas does not allow you to set a maximum spending limit or alerts for your AWS services.

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, including security and performance. It can help you monitor for misconfigured security groups that are allowing unrestricted access to specific ports. Amazon CloudWatch is a service that monitors your AWS resources and the applications you run on AWS. Amazon GuardDuty is a threat detection service that continuously monitors for maliciousactivity and unauthorized behavior. AWS Health Dashboard provides relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities.

AWS Organizations is a service that enables you to create and manage multiple AWS accounts centrally. You can use AWS Organizations to automate account creation, apply policies to control access and permissions, and consolidate billing across your accounts. You can also use AWS Organizations to prevent users from creating Amazon EC2 instances in certain regions or with certain configurations2

The AWS service that should be used when a company needs to provide its remote employees with virtual desktops is Amazon WorkSpaces. Amazon WorkSpaces is a fully managed, secure desktop-as-a-service (DaaS) solution that runs on AWS. Amazon WorkSpaces allows users to provision cloud-based virtual desktops and provide their end users access to the documents, applications, and resources they need from any supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets4. Amazon Identity and Access Management (IAM), AWS Directory Service, and AWS IAM Identity Center (AWS Single Sign-On) are other AWS services related to identity and access management, but they do not provide virtual desktops.

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It is a fully managed, serverless database that does not require provisioning, patching, or backup. It offers built-in security, backup and restore, and in-memory caching3. Amazon RDS is a relational database service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. However, it is not a key-value NoSQL database, and it is not serverless, as it requires you to choose an instance type and size4. Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. However, it is also not a key-value NoSQL database, and it is not serverless, as it requires you to choose an instance type and size. Amazon MemoryDB for Redis is a Redis-compatible, durable, in-memory database service that delivers ultra-fast performance and multi-AZ reliability for the most demanding applications. However, it is also not a key-value NoSQL database, and it is not serverless, as it requires you to choose a node type and size.

Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. You can use Amazon Cognito to enable users to sign in directly with a user name and password, or through a third-party provider, such as Facebook, Google, or Amazon. You can also use Amazon Cognito to manage user profiles, preferences, and security settings3

AWS CloudFormation and AWS Cloud Development Kit (AWS CDK) are AWS services that can limit manual errors by consistently provisioning AWS resources in multiple environments. AWS CloudFormation is a service that enables you to model and provision AWS resources using templates. You can use AWS CloudFormation to define the AWS resources and their dependencies that you need for your applications, and to automate the creation and update of those resources across multiple environments, such as development, testing, and production. AWS CloudFormation helps you ensure that your AWS resources are configured consistently and correctly, and that you can easily replicate or modify them as needed. AWS Cloud Development Kit (AWS CDK) is a service that enables you to use familiar programming languages, such as Python, TypeScript, Java, and C#, to define and provision AWS resources. You can use AWS CDK to write code that synthesizes into AWS CloudFormation templates, and to leverage the existing libraries and tools of your preferred language. AWS CDK helps you reduce the complexity and errors of writing and maintaining AWS CloudFormation templates, and to apply the best practices and standards of software development to your AWS infrastructure.

This is the AWS service or resource that will meet the requirements of distributing traffic between the Amazon EC2 instances that host the website. Application Load Balancer is a type of Elastic Load Balancing that distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. Application Load Balancer operates at the application layer (layer 7) of the OSI model and supports advanced features such as path-based routing, host-based routing, health checks, and SSL termination. You can learn more about Application Load Balancer from [this webpage] or [this digital course].

AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-account AWS environment. It automates the creation of accounts, organizational units, policies, and best practices based on the AWS Well-Architected Framework. AWS IAM Identity Center (AWS Single Sign-On) is a service that enables users to centrally manage access to multiple AWS accounts and business applications using a single sign-on experience. AWS Systems Manager is a service that provides operational management for AWS resources and applications. AWS Config is a service that enables users to assess, audit, and evaluate the configurations of AWS resources.

AWS Budgets and Amazon CloudWatch are two AWS services or tools that the company can use to receive a notification when a specific AWS cost threshold is reached. AWS Budgets allows users to set custom budgets to track their costs and usage, and respond quickly to alerts received from email or Amazon Simple Notification Service (Amazon SNS) notifications if they exceed their threshold. Users can create cost budgets with fixed or variable target amounts, and configure their notifications for actual or forecasted spend. Users can also set up custom actions to run automatically or through an approval process when a budget target is exceeded. For example, users could automatically apply a custom IAM policy that denies them the ability to provision additional resources within an account. Amazon CloudWatch is a service that monitors applications, responds to performance changes, optimizes resource use, and provides insights into operational health. Users can use CloudWatch to collect and track metrics, which are variables they can measure for their resources and applications. Users can create alarms that watch metrics and send notifications or automatically make changes to the resources they are monitoring when a threshold is breached. Users can use CloudWatch to monitor their AWS costs and usage by creating billing alarms that send notifications when their estimated charges exceed a specified threshold amount. Userscan also use CloudWatch to monitor their Reserved Instance (RI) or Savings Plans utilization and coverage, and receive notifications when they fall below a certain level.

 Cloud Cost And Usage Budgets - AWS Budgets, What is Amazon CloudWatch?, Creating a billing alarm - Amazon CloudWatch

Availability Zones are components of AWS infrastructure that can help the company ensure that the application is highly resilient. Availability Zones are multiple, isolated locations within each AWS Region. Each Availability Zone has independent power, cooling, and physical security, and is connected to the other Availability Zones in the same Region via low-latency, high-throughput, and highly redundant networking. Availability Zones allow you to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. 

AWS IAM Access Analyzer is an AWS service that helps customers identify and review the resources in their AWS account that are shared with an external entity, such as another AWS account, a root user, an organization, or a public entity. AWS IAM Access Analyzer uses automated reasoning, a form of mathematical logic and inference, to analyze the resource-based policies in the account and generate comprehensive findings that show the access level, the source of the access, the affected resource, and the condition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes to the resource sharing status. References: AWSIAM Access Analyzer, Identify and review resources shared with external entities, How AWS IAM Access Analyzer works

 A and B are correct because AWS CodeCommit is the AWS service that provides a fully managed source control service that hosts secure Git-based repositories1, and AWS CodeDeploy is the AWS service that automates code deployments to any instance, including Amazon EC2 instances and servers running on-premises2. These two services can be used together to store source code and update the running software when the code changes. C is incorrect because Amazon DynamoDB is the AWS service that provides a fully managed NoSQL database service that supports key-value and document data models3. It is not related to storing source code or updating software. D is incorrect because Amazon S3 is the AWS service that provides object storage through a web service interface4. It can be used to store source code, but it does not provide source control features or update software. E is incorrect because Amazon Elastic Container Service (Amazon ECS) is the AWS service that allows users to run, scale, and secure Docker container applications. It can be used to deploy containerized software, but it does not store source code or update software.

The set of tasks that would meet the requirement of having higher availability for a MySQL database running on a single Amazon EC2 instance is to migrate to Amazon RDS and enable Multi-AZ. Amazon RDS is a fully managed relational database service that supports MySQL and other popular database engines. By enabling Multi-AZ, users can have a primary database in one Availability Zone and a synchronous standby replica in another Availability Zone. In case of a planned or unplanned outage of the primary database, Amazon RDS automatically fails over to the standby replica with minimal disruption3. Adding an Application Load Balancer in front of the EC2 instance, configuring EC2 Auto Recovery to move the instance to another Availability Zone, or enabling termination protection for the EC2 instance would not provide higher availability for the database, as they do not address the single point of failure or data replication issues.

AWS Auto Scaling is the AWS service that allows users to optimize the number of EC2 instances based on the usage pattern, as it automatically adjusts the capacity to maintain steady and predictable performance at the lowest possible cost. Spot Instances are a way to reduce the cost ofEC2 instances by bidding on unused EC2 capacity, but they are not suitable for applications that require steady and reliable performance. Reserved Instances are a way to reduce the cost of EC2 instances by committing to a certain amount of usage for a period of time, but they are not flexible to adjust to the usage pattern. AWS CloudFormation is a way to automate the creation and management of AWS resources, but it does not optimize the number of EC2 instances based on the usage pattern. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

Amazon EC2 Spot Instances are instances that use spare EC2 capacity that is available at up to a 90% discount compared to On-Demand prices. You can use Spot Instances for various stateless, fault-tolerant, or flexible applications such as big data, containerized workloads, high-performance computing (HPC), and test & development workloads. Spot Instances are ideal for workloads that can be interrupted, such as batch image rendering applications1. On-Demand Instances are instances that let you pay for compute capacity by the hour or second (minimum of 60 seconds) with no long-term commitments. This frees you from the costs and complexities of planning, purchasing, and maintaining hardware and transforms what are commonly large fixed costs into much smaller variable costs2. Reserved Instances are instances that provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing. In exchange, you select a term and make an upfront payment to reserve a certain amount of compute capacity for that term3. Dedicated Instances are instances that run in a VPC on hardware that’s dedicated to a single customer. Your Dedicated Instances are physically isolated at the host hardware level from instances that belong to other AWS accounts4.

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second. DynamoDB provides the least operational overhead for storing data from a recommendation engine, as it does not require any server provisioning, patching, or maintenance3

The AWS Cloud Adoption Framework (AWS CAF) cloud transformation journey is a four-phase process that helps customers plan and execute their cloud migration and digital transformation. The four phases are:

Envision phase: This phase focuses on demonstrating how cloud will help accelerate the business outcomes of the customer. It involves identifying and prioritizing transformation opportunities across four domains: business, people, governance, and platform. It also involves associating the transformation initiatives with key stakeholders and measurable business outcomes1.

Align phase: This phase focuses on identifying capability gaps across six perspectives: business, people, governance, platform, security, and operations. It also involves identifying cross-organizational dependencies and surfacing stakeholder concerns and challenges. The goal of this phase is to create strategies for improving the cloud readiness, ensure stakeholder alignment, and facilitate relevant organizational change management activities1.

Launch phase: This phase focuses on delivering pilot initiatives in production and demonstrating incremental business value. Pilots should be highly impactful and influence future direction. The customer should learn from the pilots and adjust their approach before scaling to full production1.

Scale phase: This phase focuses on expanding production pilots and business value to the desired scale and ensuring that the business benefits associated with the cloud investments are realized and sustained1.

AWS Organizations is an AWS service that enables you to centrally manage and govern your AWS Cloud environments across multiple business units. AWS Organizations allows you tocreate an organization that consists of AWS accounts that you create or invite to join. You can group your accounts into organizational units (OUs) and apply service control policies (SCPs) to them. SCPs are a type of policy that specify the maximum permissions for the accounts in your organization, and can help you enforce compliance and security requirements. AWS Organizations also simplifies billing processes by enabling you to consolidate and pay for all member accounts with a single payment method. You can also use AWS Organizations to automate the creation of AWS accounts by using APIs or AWS CloudFormation templates. References: What is AWS Organizations?, Policy-Based Management - AWS Organizations

 AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

Amazon Personalize is an AWS service that helps developers quickly build and deploy a custom recommendation engine with real-time personalization and user segmentation1. It uses machine learning (ML) to analyze customer data and provide relevant recommendations based on their preferences, behavior, and context.Amazon Personalize can be used for various use cases such as optimizing recommendations, targeting customers more accurately, maximizing the value of unstructured text, and promoting items using business rules1.

The other options are not suitable for providing product recommendations based on customer data. Amazon Polly is a service that converts text into lifelike speech. Amazon Comprehend is a service that uses natural language processing (NLP) toextract insights from text and documents. Amazon Rekognition is a service that uses computer vision (CV) to analyze images and videos for faces, objects, scenes, and activities.

1: Cloud Products - Amazon Web Services (AWS)

2: Recommender System – Amazon Personalize – Amazon Web Services

3: Top 25 AWS Services List 2023 - GeeksforGeeks

4: AWS to Azure services comparison - Azure Architecture Center

5: The 25+ Best AWS Cost Optimization Tools (Updated 2023) - CloudZero

6: Amazon Polly – Text-to-Speech Service - AWS

7: Natural Language Processing - Amazon Comprehend - AWS

8: Image and Video Analysis - Amazon Rekognition - AWS

The AWS service that the company should use to meet these requirements is A. AWS Snowmobile.

AWS Snowmobile is a service that allows you to migrate large amounts of data to AWS using a 45-foot long ruggedized shipping container that can store up to 100 petabytes of data. AWS Snowmobile is designed for situations where you need to move massive amounts of data to the cloud in a fast, secure, and cost-effective way.AWS Snowmobile has the least possible operational overhead because it eliminates the need to buy, configure, or manage hundreds or thousands of storage devices12.

AWS Snowball Edge is a service that allows you to migrate data to AWS using a physical device that can store up to 80 terabytes of data and has compute and storage capabilities to run applications on the device. AWS Snowball Edge is suitable for situations where you have limited or intermittent network connectivity, or where bandwidth costs are high.However, AWS Snowball Edge has more operational overhead than AWS Snowmobile because you need to request multiple devices and transfer your data onto them using the client3.

AWS Data Exchange is a service that allows you to find, subscribe to, and use third-party data in the cloud.AWS Data Exchange is not a data migration service, but rather a data marketplace that enables data providers and data consumers to exchange data sets securely and efficiently4.

AWS Database Migration Service (AWS DMS) is a service that helps migrate databases to AWS.AWS DMS does not migrate file storage data, but rather supports various database platforms and engines as sources and targets5.

 Amazon S3 Glacier Deep Archive is a storage class within Amazon S3 that provides the lowest-cost, long-term data storage for data that is rarely accessed. AWS Snowball is a service that provides aphysical device for transferring large amounts of data into and out of AWS. Amazon MQ is a service that provides managed message broker service for Apache ActiveMQ. AWS Storage Gateway is a service that provides hybrid cloud storage for on-premises applications.

 The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The framework consists of five pillars: operational excellence, performance efficiency, reliability, security, and cost optimization. The security pillar covers the AWS shared responsibility model, which defines the security and compliance responsibilities of AWS and the customers. You can learn more about the AWS Well-Architected Framework from [this whitepaper] or [this digital course].

 Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. Amazon RDS supports six popular database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. Amazon RDS can support running a copy of a MySQL database in the AWS Cloud, as it offers compatibility, scalability, and availability features.

The correct answer is B and C. EC2 Amazon Machine Images (AMIs) and Amazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that provide disaster recovery solutions for Amazon EC2 instances.

EC2 AMIs are preconfigured templates that contain the software configuration and data required to launch an EC2 instance. You can create AMIs from your running EC2 instances and use them to launch new instances in the same or different AWS Regions. This way, you can quickly recover your EC2 instances in case of a disaster that affects your primary Region or Availability Zone1.

Amazon EBS snapshots are incremental backups of your Amazon EBS volumes. You can create snapshots of your volumes and store them in Amazon S3, which is a highly durable and scalable storage service. You can use snapshots to restore your volumes to a previous point in time or to create new volumes from snapshots. Snapshots can also be copied across AWS Regions, enabling you to recover your data in another Region in case of a disaster2.

The other options are not directly related to disaster recovery for EC2 instances:

EC2 Reserved Instances are a pricing model that allows you to reserve EC2 capacity for a specific period of time and receive a discount on the hourly charge. Reserved Instances do not provide any disaster recovery benefits, as they are only a billing option3.

AWS Shield is a managed service that protects your AWS resources from distributed denial-of-service (DDoS) attacks. AWS Shield provides basic protection for all AWS customers at no additional charge, and advanced protection for customers who need higher levels of detection and mitigation. AWS Shield does not provide any disaster recovery benefits, as it is only a security service4.

Amazon GuardDuty is a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon GuardDuty analyzes various data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs, to identify potential threats and alert you via Amazon CloudWatch Events or AWS Lambda. Amazon GuardDuty does not provide any disaster recovery benefits, as it is only a monitoring service5.

AWS Outposts is a service that provides fully managed AWS infrastructure and services on premises. It allows users to run applications that require low latency and local data processing, while seamlessly connecting to the AWS Cloud for a consistent hybrid experience. AWS IoT Greengrass isa service that provides local compute, messaging, data caching, sync, and ML inference capabilities for connected devices. AWS Lambda is a service that allows users to run code without provisioning or managing servers. AWS Snowball Edge is a device that provides a petabyte-scale data transport and edge computing solution.

AWS Shield Advanced is a service that provides high levels of detection and near-real-time (NRT) mitigation against large and sophisticated distributed denial of service (DDoS) attacks on applications running on AWS. AWS Shield Advanced also provides you with 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS attacks of any size or duration1. Amazon GuardDuty is a service that provides threat detection for your AWS accounts and workloads, but itdoes not offer DDoS protection3. Amazon Inspector is a service that helps you improve the security and compliance of your applications deployed on AWS by automatically assessing them for vulnerabilities and deviations from best practices. Amazon Macie is a service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. You can use CloudTrail to identify who accessed an AWS service and what action was performed for a given time period. Amazon CloudWatch, AWS Security Hub, and Amazon Inspector are AWS services that provide different types of monitoring and security capabilities.

AWS Regions are the AWS service or resource that the company should use to select its Amazon RDS deployment area. AWS Regions are separate geographic areas where AWS clusters its data centers. Each AWS Region consists of multiple, isolated, and physically separate Availability Zones within a geographic area. Each AWS Region is designed to be isolated from the other AWS Regions to achieve the highest possible fault tolerance and stability. AWS provides a more extensive global footprint than any other cloud provider, and to support its global footprint and ensure customers are served across the world, AWS opens new Regions rapidly. AWS maintains multiple geographic Regions, including Regions in North America, South America, Europe, China, Asia Pacific, South Africa, and the Middle East. Amazon RDS is available in several AWS Regions worldwide. To create or work with an Amazon RDS DB instance in a specific AWS Region, you must use the corresponding regional service endpoint. You can choose the AWS Region that meets your latency or legal requirements. You can also use multiple AWS Regions to design a disaster recovery solution or to distribute your read workload. References: Global Infrastructure Regions & AZs - aws.amazon.com, Regions, Availability Zones, and Local Zones - Amazon Relational Database Service

 Amazon Aurora is a relational database service that is compatible with MySQL and PostgreSQL engines. It delivers up to five times the performance of MySQL and up to three times the performance of PostgreSQL. It also provides high availability, scalability, security, and durability1

AWS Key Management Service (AWS KMS) is designed to integrate with various AWS services to encrypt data at rest. It provides a secure and highly available service to create, control, and manage encryption keys used to encrypt your data. AWS Certificate Manager (ACM) is for managing SSL/TLS certificates, AWS Identity and Access Management (IAM) is for managing user access and permissions, and AWS Security Hub is for security monitoring and compliance, but none of these services provide data encryption at rest like AWS KMS.QUESTION NO: 298

A company has an AWS Business Support plan. The company needs to gain access to the AWS DDoS Response Team (DRT) to help mitigate DDoS events.

Which AWS service or resource must the company use to meet these requirements?

A. AWS Shield Standard

B. AWS Enterprise Support

C. AWS WAF

D. AWS Shield Advanced

Answer: D

AWS Shield Advanced provides enhanced protection against DDoS attacks and includes access to the AWS DDoS Response Team (DRT) to help mitigate complex DDoS events. AWS Shield Standard offers basic DDoS protection, which is included with AWS services, but does not provide access to the DRT. AWS WAF is a web application firewall, and AWS Enterprise Support is a premium support plan but does not specifically provide DDoS mitigation services or access to the DRT.

Amazon Inspector is the AWS service that can be used to perform vulnerability scans on AWS EC2 instances for software vulnerabilities automatically in a periodic fashion. Amazon Inspector automatically discovers EC2 instances and scans them for software vulnerabilities and unintended network exposure. Amazon Inspector uses AWS Systems Manager (SSM) and the SSM Agent to collect information about the software application inventory of the EC2 instances. This data is then scanned by Amazon Inspector for software vulnerabilities12. Amazon Inspector also integrates with other AWS services, such as AmazonEventBridge and AWS Security Hub, to automate discovery, expedite vulnerability routing, and shorten mean time to remediate (MTTR) vulnerabilities2.

Amazon Athena is a serverless interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is ideal for quick, ad-hoc querying but it can also handle complex analysis, including large joins, window functions, and arrays. Athena scales automatically—executing queries in parallel—so results are fast, even with large datasets and complex queries. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that can run complex analytic queries against structured and semi-structured data using standard SQL. However, it is not a serverless service and requires provisioning and managing clusters of nodes. AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data for analytics. However, it is not a query service and does not support standard SQL. Amazon Kinesis Data Streams is a service that enables you to build custom applications that process or analyze streaming data for specialized needs. However, it is not a query service and does not support standard SQL.

Amazon S3 is a service that provides durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost. Amazon S3 is an object storage service that allows you to store and retrieve any amount of data from anywhere on the internet. Amazon S3 offers industry-leading scalability, availability, and performance, as well as 99.999999999% (11 9s) of durability and multi-AZ resilience. Amazon S3 also provides various storage classes that offer different levels of performance and cost optimization, such as S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access (S3 Standard-IA), S3 One Zone-Infrequent Access (S3One Zone-IA), and S3 Glacier456. Amazon S3 is ideal for storing static content, such as images, videos, documents, and web pages, as well as building data lakes, backup and archive solutions, big data analytics, and machine learning applications456. References: 4: Cloud Storage on AWS, 5: Object Storage - Amazon Simple Storage Service (S3) - AWS, 6: Amazon S3 Documentation

AWS Marketplaceis an online store where independent software vendors (ISVs) can list and sell their software products, including custom Amazon Machine Images (AMIs). It allows vendors to share, distribute, and monetize their AMIs with a broad audience of AWS customers.

B. AWS Data Exchange: Incorrect, as it is a service for finding, subscribing to, and using third-party data in the cloud, not for delivering custom AMIs.

C. Amazon EC2: Incorrect, as it is the service for running instances, but it does not provide a marketplace for distributing AMIs.

D. AWS Organizations: Incorrect, as it is a service for managing multiple AWS accounts, not for distributing software products like AMIs.

AWS Cloud References:

AWS Marketplace

Amazon Inspector is a service that provides automated security assessment and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector can scan applications for common vulnerabilities, such as SQL injection, cross-site scripting, and remote code execution. Amazon Inspector can also check the configuration of AWS resources against security best practices, such as the CIS Benchmarks and the AWS Security Best Practices. Amazon Inspector can help customers identify and remediate security issues, comply with security standards, and improve the security posture of their AWS environment12. References:

Amazon Inspector

Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector | AWS News Blog

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, such as the global network, the hardware, the software, and the facilities. The customer is responsible for properly configuring the security of the provided service, such as the guest operating system, the application software, the data, and the network traffic. For abstracted services, such as Amazon RDS, AWS operates the infrastructure layer, the operating system, and the database software, while the customer is responsible for managing their data, classifying their assets, and using IAM tools to apply the appropriate permissions12.

Therefore, the tasks that are the customer’s responsibility are:

Perform client-side data encryption: The customer is responsible for encrypting their data before sending it to AWS, and decrypting it after receiving it from AWS. This ensures that the data is protected in transit and at rest. AWS provides various encryption options, such as AWS Key Management Service (AWS KMS), AWS CloudHSM, and AWS Certificate Manager (ACM)3.

Configure IAM credentials: The customer is responsible for creating and managing IAM users, groups, roles, and policies that control the access to AWS resources and services. IAM credentials include user names, passwords, access keys, and permissions4.

The tasks that are not the customer’s responsibility are:

Establish the global infrastructure: AWS is responsible for building and maintaining the global network of regions, availability zones, and edge locations that provide low latency, high availability, and fault tolerance for the AWS Cloud5.

Secure edge locations: AWS is responsible for protecting the physical security of the edge locations, which are sites that deliver cached content to end users with improved performance6.

Patch Amazon RDS DB instances: AWS is responsible for applying patches and updates to the operating system and the database software of the Amazon RDS DB instances, which are managed relational database service for MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora. References:

Shared Responsibility Model - Amazon Web Services (AWS)

Shared responsibility model - Amazon Web Services: Risk and Compliance

Encryption - Amazon Web Services (AWS)

What Is IAM? - AWS Identity and Access Management

Global Infrastructure - Amazon Web Services (AWS)

Amazon CloudFront Features - Content Delivery Network (CDN)

[What Is Amazon Relational Database Service (Amazon RDS)? - Amazon Relational Database Service]

By implementingAWS CloudTrail, a company is adhering to the AWS Cloud design principle ofactivating traceability. AWS CloudTrail provides detailed logs of all API calls made in an AWS account, which helps monitor, troubleshoot, and detect unusual activity, thereby improving security and compliance. This supports the principle of "activating traceability" by enabling continuous monitoring and auditing of all actions and changes within the AWS environment.

B. Use serverless compute architectures: Incorrect, as this principle encourages the use of managed services that handle infrastructure, such as AWS Lambda, and is not directly related to CloudTrail.

C. Perform operations as code: Incorrect, as this principle emphasizes the use of code and automation for infrastructure management.

D. Go global in minutes: Incorrect, as this principle relates to the global deployment of applications and services.

AWS Cloud References:

AWS Well-Architected Framework

AWS CloudTrail

AWS Direct Connectis a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. This requires the use of an Internet Service Provider (ISP) and a colocation facility to connect to the Direct Connect location. It provides a private, high-speed, low-latency connection that does not go over the public internet.

A. AWS VPN: Incorrect, as AWS VPN establishes secure connections over the internet and does not necessarily require a colocation facility.

B. Amazon Connect: Incorrect, as it is a cloud-based contact center service.

D. Internet Gateway: Incorrect, as it is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

AWS Cloud References:

AWS Direct Connect

An IAM credential report is a feature of AWS Identity and Access Management (IAM) that allows you to view and download a report that lists all IAM users in your account and the status of their various credentials, such as passwords, access keys, and MFA devices. You can use this reportto audit the security status of your IAM users and ensure that they follow the best practices for credential management1. References: 1: AWS Documentation - IAM User Guide - Getting credential reports for your AWS account

The Envision phase of the cloud transformation journey is where the company defines its vision, business drivers, and desired outcomes for the cloud adoption. The company also identifies its capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives, which are business, people, governance, platform, security, and operations2.

Consolidated billing is a feature of AWS Organizations that enables customers to consolidate billing and payment for multiple AWS accounts. With consolidated billing, customers can group multiple AWS accounts under one payer account, making it easier to manage billing and track costs across multiple accounts. Consolidated billing also offers benefits such as volume discounts, Reserved Instance discounts, and Savings Plans discounts. Consolidated billing is offered at no additional cost.

Multiple AWS accounts is a feature of AWS Organizations that enables customers to create and manage multiple AWS accounts from a central location. With multiple AWS accounts, customers can isolate workloads for different departments, projects, or environments, and apply granular access controls and policies to each account. Multiple AWS accounts also helps customers improve security, compliance, and governance of their AWS resources56. References: 5: Consolidated billing for AWS Organizations - AWS Billing, 6: Understanding Consolidated Bills - AWS Billing, 7: AWS Consolidated Billing: Tutorial & Best Practices, 8: Simplifying Your Bills With Consolidated Billing on AWS - Aimably, 9: AWS Consolidated Billing - W3Schools

AWS Transit Gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks through a central gateway. AWS Transit Gateway simplifies and scales the connectivity between your on-premises networks and AWS, as you only need to create and manage a single connection from the central gateway to each on-premises network, rather than individual connections to each VPC. You can also use AWS Transit Gateway to connect to other AWS services, such as Amazon S3, Amazon DynamoDB, and AWS PrivateLink12. AWS Transit Gateway supports thousands of VPCs per gateway, and enables you to peer Transit Gateways across AWS Regions3.

The other options are not AWS services or features that can simplify and scale the connectivity between on-premises networks and hundreds of VPCs using AWS Direct Connect. VPC endpoints enable private connectivity between your VPCs and supported AWS services, but do not support on-premises networks4. Amazon Route 53 is a DNS service that helps you route internet traffic to your resources, but does not provide network connectivity5. AWS Secrets Manager is a service that helps you securely store and manage secrets, such as database credentials and API keys, but does not relate to network connectivity

Understanding Operational Excellence: The Operational Excellence pillar of the AWS Well-Architected Framework focuses on running and monitoring systems to deliver business value and continuously improving supporting processes and procedures.

Key Concepts of Operational Excellence:

Small, Reversible Changes: Making changes in small, incremental steps allows for easier troubleshooting and rollback if issues arise.

Regular Updates: Regularly updating components ensures that systems stay up-to-date with the latest features, security patches, and performance improvements.

Automation: Implementing automation for deployments, updates, and monitoring to reduce human error and increase efficiency.

Continuous Improvement: Encouraging continuous learning and process improvement to enhance operational processes.

Implementing Operational Excellence:

Deployment Automation: Use CI/CD pipelines to automate deployments and ensure that changes can be rolled back if necessary.

Monitoring and Logging: Implement comprehensive monitoring and logging to track system health and performance.

Incident Response: Develop a robust incident response plan to handle issues quickly and efficiently.

Documentation and Training: Maintain thorough documentation and provide training to ensure teams can effectively manage and improve operations.

AWS Well-Architected Framework: Operational Excellence Pillar

Amazon Macie is a data security and privacy service offered by AWS that uses machine learning and pattern matching to discover the sensitive data stored within Amazon S3. You can define your own custom type of sensitive data category that might be unique to your business or use case. Macie also provides you with dashboards and alerts that give you visibility into how your data is being accessed or moved. Macie helps you protect your data by enabling you to apply data protection techniques such as encryption, deletion, access control, and auditing. References: Strengthen the security of sensitive data stored in Amazon S3 by using additional AWS services, Security best practices for Amazon S3, Sensitive Data Protection on AWS, Sensitive Data Protection on Amazon Web Services

AWS Management Console is a web application that allows you to manage and monitor your AWS Cloud resources through a user-friendly interface. You can use the AWS Management Console to access and experiment with over 150 AWS services, view and modify your account and billing information, get in-console help from AWS Support, and customize your dashboard with widgets that display key metrics and information for your applications567. You can also use the AWS Management Console to launch and configure AWS resources using wizards andtemplates, without writing any code5. References: 5: Manage AWS Resources - AWS Management Console - AWS, 6: Getting Started with the AWS Management Console, 7: Manage AWS Resources - AWS Management Console Features - AWS

 Amazon S3 and Amazon EBS are two AWS services that can be used to store files . Amazon S3 is an object storage service that offers high scalability, durability, availability, and performance. Amazon EBS is a block storage service that provides persistent and low-latency storage volumes for Amazon EC2 instances. AWS Lambda, Amazon SageMaker, and AWS Storage Gateway are other AWS services that have different purposes, such as serverless computing, machine learning, and hybrid cloud storage .

Amazon EC2 On-Demand Instances are ideal for unpredictable workloads that do not require a long-term commitment. This option allows users to pay for compute capacity by the hour or second, with no long-term commitments. It is suitable for short-term, spiky, or unpredictable workloads that cannot be interrupted and require flexibility. Option A is better suited for Reserved Instances, Option B is ideal for Spot Instances, and Option D is more suited for Reserved Instances due to cost optimization for long-term use.

"There is no long-term commitment required when you purchase On-Demand Instances. You pay only for the seconds that your On-Demand Instances are in the running state, with a 60-second minimum. The price per second for a running On-Demand Instance is fixed, and is listed on the Amazon EC2 Pricing, On-Demand Pricing page. We recommend that you use On-Demand Instances for applications with short-term, irregular workloads that cannot be interrupted."https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-on-demand-instances.html

AWS provides an Attestation of Compliance (AOC) report for specific AWS services to assist companies in achieving Payment Card Industry Data Security Standard (PCI DSS) compliance in the cloud. This report demonstrates that AWS services meet the necessary PCI DSS requirements. AWS does not offer physical inspections of data centers by appointment, nor does it provide certifications for any application running on AWS. Additionally, AWS does not provide professional PCI compliance services; companies must manage their PCI compliance in their environment.

AVPC (Virtual Private Cloud)in AWS is a logically isolated network that you define in the AWS Cloud. Within a VPC, you can create subnets, route tables, network gateways, and more.

D. Internet Gateway: An internet gateway is a component that allows communication between resources in a VPC and the internet.

E. Subnet: A subnet is a range of IP addresses in your VPC. Subnets can be public or private and are essential for organizing resources within a VPC.

Why other options are not suitable:

A. Amazon API Gateway: Used for creating and managing APIs, not a direct component of a VPC.

B. Amazon S3 buckets and objects: Amazon S3 is a storage service; its resources are globally accessible and not confined to a VPC.

C. AWS Storage Gateway: A hybrid cloud storage service, not a core component of a VPC.

Rehosting ("lift and shift") is a migration strategy where applications are moved to the cloud with minimal changes, making it the least effort-intensive method for applications incompatible with the cloud. Repurchasing involves moving to a different product, often a SaaS solution, which can also minimize migration effort by avoiding the need for application-level changes. Retiring, replatforming, and refactoring require significant effort either in terms of analyzing and shutting down the application, making changes to the underlying platform, or redesigning the application architecture, respectively.

Spot Instances are a type of EC2 instance that let you bid on unused compute capacity, which AWS offers at a discount of up to 90% compared to On-Demand prices1. Spot Instances are suitable for fault-tolerant, stateless, or flexible applications that can handle interruptions2. Spot Instances can be interrupted with a two-minute warning when EC2 needs the capacity back3. The other options are not pricing models that will interrupt a running EC2 instance if capacity becomes temporarily unavailable

AWS Outposts is an AWS offering that brings AWS infrastructure and services to a customer's on-premises location. It allows companies to run AWS services locally while meeting any regulatory or compliance requirements to keep data or applications on-premises. Dedicated Instances are EC2 instances that run on hardware dedicated to a single customer but are still within AWS data centers. Amazon CloudFront is a CDN service, and AWS Fargate is a serverless compute engine for containers, neither of which meets the requirement for running an application on-premises.

Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to analyze all your data using your existing business intelligence tools. You can start small with no commitments, and scale to petabytes for less than a tenth of the cost of traditional solutions. Amazon Redshift does not require manual hardware and software management, as AWS handles all the tasks such as provisioning, patching, backup, recovery, failure detection, and repair12. Amazon Redshift also offers serverless capabilities, which allow you to access and analyze data without any configurations or capacity planning. Amazon Redshift automatically scales the data warehouse capacity to deliver fast performance for even the most demanding and unpredictable workloads3. Therefore, Amazon Redshift meets the requirements of the company, compared to the other options.

The other options are not suitable for the company’s requirements, because:

Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. It is not designed for petabyte-scale data warehousing or analytics4.

Amazon Neptune is a fast, reliable, and fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. It is not designed for petabyte-scale data warehousing or analytics5.

Amazon ElastiCache is a fully managed in-memory data store and cache service that supports Redis and Memcached. It is not designed for petabyte-scale data warehousing or analytics.

What is Amazon Redshift? - Amazon Redshift

Amazon Redshift Features - Amazon Redshift

Amazon Redshift Serverless - Amazon Redshift

What Is Amazon DocumentDB (with MongoDB compatibility)? - Amazon DocumentDB (with MongoDB compatibility)

What Is Amazon Neptune? - Amazon Neptune

[What Is Amazon ElastiCache for Redis? - Amazon ElastiCache for Redis]

According to the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS is responsible for protecting the infrastructure that runs AWS services, such as DynamoDB, while the customer is responsible for properly configuring the security of the provided service. For abstracted services, such as DynamoDB, the customer is primarily responsible for managing their data, classifying their assets, and using IAM tools to apply the appropriatepermissions12. Therefore, the customer is responsible for controlling the access to DynamoDB tables, such as by creating IAM policies, roles, and users, and using encryption and authentication mechanisms3. References:

Shared Responsibility Model - Amazon Web Services (AWS)

Security and compliance in Amazon DynamoDB - Amazon DynamoDB

What is Shared Responsibility Model? - Check Point Software

The AWS Cloud Adoption Framework (AWS CAF) security perspective helps users achieve the confidentiality, integrity, and availability of their data and cloud workloads. It comprises nine capabilities that are grouped into three categories: preventive, detective, and responsive. Incident response and infrastructure protection are two of the capabilities in the responsive and preventive categories, respectively. Incident response helps users prepare for and respond to security incidents in a timely and effective manner, using tools and processes that leverage AWS features and services. Infrastructure protection helps users implement security controls and mechanisms to protect their cloud resources, such as network, compute, storage, and database, from unauthorized access or malicious attacks. References: Security perspective: compliance and assurance, AWS Cloud Adoption Framework

AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service in your AWS account. CloudTrail captures all API calls for AWS services as events, including calls from the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. You can use CloudTrail to monitor, audit, and troubleshoot your AWS accountactivity34. AWS Trusted Advisor is a service that provides best practices recommendations for cost optimization, performance, security, and fault tolerance in your AWS account5. Amazon Inspector is a service that helps you improve the security and compliance of your applications deployed on AWS by automatically assessing them for vulnerabilities and deviations from best practices6. AWS X-Ray is a service that helps you analyze and debug your applications by collecting data about the requests that your application serves, and providing tools to view, filter, and gain insights into that data7. References: Logging AWS Audit Manager API calls with CloudTrail, Logging AWS Account Management API calls using AWS CloudTrail, Review API calls in your AWS account using CloudTrail, Monitor the usage of AWS API calls using Amazon CloudWatch, Which service enables customers to audit API calls in their AWS …

Amazon S3 (Simple Storage Service)is a scalable object storage service that allows users to store and retrieve any amount of data at any time from anywhere on the web. S3 provides the ability to make objects (files) publicly accessible via a public URL, which allows users to download files directly. S3 is highly durable, scalable, and secure, making it an ideal service for storing files that need to be accessed publicly.

Why other options are not suitable:

A. Amazon Redshift: A data warehouse service designed for complex queries and analytics, not for storing and publicly sharing files.

B. Amazon Elastic Block Store (Amazon EBS): Provides block storage for use with EC2 instances, but does not support public URLs or direct file access from the web.

C. Amazon Elastic File System (Amazon EFS): A managed file storage service for use with EC2 instances, not designed for public access via URLs.

Amazon Redshiftis a fully managed data warehouse service that enables users to analyze large amounts of data quickly and cost-effectively. It is designed specifically for online analytical processing (OLAP) and is optimized for complex queries against large datasets. Amazon Redshift uses columnar storage, data compression, and massively parallel processing (MPP) to handle petabyte-scale data warehouse environments.

A. Amazon RDS: Incorrect, as it is a managed relational database service for online transaction processing (OLTP) workloads, not specifically designed for data warehousing.

B. Amazon DynamoDB: Incorrect, as it is a NoSQL database service for fast and flexible data storage, not a data warehouse.

D. Amazon Aurora: Incorrect, as it is a MySQL- and PostgreSQL-compatible relational database designed for high performance and availability for OLTP workloads, not data warehousing.

AWS Cloud References:

Amazon Redshift

According to theAWS Shared Responsibility Model, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, including Amazon S3. This infrastructure includes hardware, software, networking, and facilities that run AWS services.

A. Configure an S3 Lifecycle policy: Incorrect, as configuring S3 Lifecycle policies to manage object lifecycle (e.g., transitioning objects to different storage classes or deleting them after a certain period) is the customer's responsibility.

B. Activate S3 Versioning: Incorrect, as enabling S3 Versioning is a customer responsibility for managing data protection.

C. Configure S3 bucket policies: Incorrect, as setting and managing S3 bucket policies to control access is the customer's responsibility.

AWS Cloud References:

AWS Shared Responsibility Model

Amazon S3

On-Demand Instances are ideal for workloads that require flexibility, offering compute capacity with no upfront cost, allowing users to pay by the second for the instances they use. This makes it suitable for applications with short-term, spiky, or unpredictable workloads that cannot be interrupted. Reserved Instances require long-term commitments, Spot Instances can be interrupted, and Dedicated Instances are for specific hardware requirements, making On-Demand the correct choice for uninterruptible and flexible instance usage.

Reserved Instances (RIs)offer a significant discount (up to 75%) compared to On-Demand pricing in exchange for committing to use AWS for a period of 1 or 3 years. This pricing model is ideal for applications with predictable usage patterns or long-term commitments, such as critical production systems that will be running for at least 3 years.

A. On-Demand Instances: Incorrect, as they provide flexibility without commitment but are more expensive over the long term.

C. Spot Instances: Incorrect, as they offer the lowest cost for non-critical, interruptible workloads but are not suitable for critical production systems due to their potential for sudden termination.

D. AWS Free Tier: Incorrect, as it provides limited free usage for certain AWS services for a short period (typically one year) and is not intended for long-term production workloads.

AWS Cloud References:

Amazon EC2 Reserved Instances

The correct answer is C because Spot Instances are the pricing model that enables the company to run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from interruptions easily. The other options are incorrect because they are not the pricing model that enables the company to run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. Reserved Instances are Amazon EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. On-Demand Instances are Amazon EC2 instances that are launched and billed at a fixed hourly rate. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads that cannot be interrupted. Dedicated Hosts are physical servers that are dedicated to a single customer. Dedicated Hosts are suitable for workloads that require regulatory compliance or data isolation. Reference: Amazon EC2 Instance Purchasing Options

AWS Database Migration Service (AWS DMS) is a cloud service that makes it possible to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or between combinations of cloud and on-premises setups. With AWS DMS, you can discover your source data stores, convert your source schemas, and migrate your data. AWS DMS supports migration between 20-plus database and analytics engines, such as Oracle to Amazon Aurora MySQL-Compatible Edition, MySQL to Amazon Relational Database (RDS) for MySQL, Microsoft SQL Server to Amazon Aurora PostgreSQL-Compatible Edition, MongoDB to Amazon DocumentDB (with MongoDB compatibility), Oracle to Amazon Redshift, and Amazon Simple Storage Service (S3). You can perform one-time migrations or replicate ongoing changes to keep sources and targets in sync. AWS DMS automatically manages the deployment, management, and monitoring of all hardware and software needed for your migration. AWS DMS is a highly resilient, secure cloud service that provides database discovery, schema conversion, data migration, and ongoing replication to and from a wide range of databases and analytics systems12. References:

Database Migration - AWS Database Migration Service - AWS

What is AWS Database Migration Service? - AWS Database Migration Service

Reducing Costs with AWS Cloud:

Capacity Adjustment (B):

Elasticity: AWS allows you to scale your resources up or down based on demand, which means you only pay for what you use. This reduces the cost of over-provisioning resources.

Auto Scaling: Automatically adjusts compute capacity based on usage, ensuring cost efficiency.

Eliminating On-Premises Costs (E):

No Infrastructure Maintenance: By using AWS, businesses do not need to invest in physical infrastructure or handle maintenance, reducing both capital and operational expenditures.

Managed Services: AWS offers managed services that reduce the need for in-house technical staff to manage and maintain infrastructure.

AWS Cloud Economics Center

AWS Benefits

 The correct answers are B and D because making data-driven decisions to determine cloud architectural design and testing systems at production scale are AWS Cloud design principles. Making data-driven decisions to determine cloud architectural design means that users should collect and analyze data from their AWS resources and applications to optimize their performance, availability, security, and cost. Testing systems at production scale means that users should simulate real-world scenarios and load conditions to validate the functionality, reliability, and scalability of their systems. The other options are incorrect because they are not AWS Cloud design principles. Paying for compute resources in advance means that users have to invest heavily in data centers and servers before they know how they will use them. This is not a cloud design principle, but rather a traditional IT model. Emphasizing manual processes to allow for changes means that users have to rely on human intervention and coordination to perform operational tasks and updates. This is not a cloud design principle, but rather a source of inefficiency and error. Refining operational procedures infrequently means that users have to stick to the same methods andpractices without adapting to the changing needs and feedback. This is not a cloud design principle, but rather a hindrance to innovation and improvement. Reference: AWS Well-Architected Framework

AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. Users can download reports such as AWS ISO certifications, PCI reports, SOC reports, and GDPR DPA, and review and accept agreements such as BAA and NDA. AWS Artifact helps users to understand and meet compliance requirements for various standards and regulations that apply to AWS services and infrastructure. AWS Artifact is the best resource for a user to find compliance-related information and reports about AWS, whereas the other options are not

AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation. Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts. Customers can designate an administrator account that can access all findings across their accounts. References: AWS Security Hub Overview, AWS Security Hub FAQs

According to the AWS shared responsibility model, AWS is responsible for security of the cloud, while customers are responsible for security in the cloud. This means that AWS is responsible for protecting the infrastructure that runs AWS services, such as hardware, software, networking, and facilities. Customers are responsible for managing their data, classifying their assets, and using IAM tools to apply the appropriate permissions. For abstracted services, such as Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and provides customers with public endpoints to store and retrieve data. Customers are responsible for classifying their data, managing their encryption options, and configuring their access permissions. References: Shared Responsibility Model, Security and compliance in Amazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]

AWS Direct Connect is an AWS service that allows users to establish a dedicated network connection between their on-premises data center and the AWS Cloud. This connection bypasses the public internet and provides more predictable network performance, reduced bandwidth costs, and increased security. Users can choose from different port speeds and connection types, and use AWS Direct Connect to access AWS services in any AWS Region globally. Users can also use AWS Direct Connect in conjunction with AWS VPN to create a hybrid network architecture that combines the benefits of both private and public connectivity. References: AWS Direct Connect, [AWS Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]

AWS SDKs are a set of tools that allow users to connect with AWS and deploy resources programmatically. AWS SDKs provide libraries, code samples, documentation, and other resources to help users write code that interacts with AWS APIs. AWS SDKs support various programming languages, such as Java, Python, Ruby, .NET, Node.js, Go, and more. AWS SDKs make it easier for users to access AWS services, such as Amazon S3, Amazon EC2, Amazon DynamoDB, AWS Lambda, and more, from their applications. AWS SDKs also handle tasks such as authentication, error handling, retries, and data serialization, so users can focus on their application logic .

The other options are not AWS services or tools that give users the ability to connect with AWS and deploy resources programmatically. Amazon QuickSight is a business intelligence service that lets users create and share interactive dashboards and visualizations1. AWS PrivateLink is a service that enables users to securely access services hosted on AWS in a scalable and cost-effective manner2. AWS Direct Connect is a service that establishes a dedicated network connection between a user’s premises and AWS3.

AWS Fargateis a serverless compute engine for containers that allows users to run containers without having to manage the underlying infrastructure. Fargate eliminates the need for managing servers and reduces operational overhead, providing a fully managed, serverless approach to containerized applications. It helps avoid unplanned administration and operational costs and is ideal for companies migrating from on-premises container infrastructure.

Why other options are not suitable:

A. Amazon Connect: A service for cloud-based contact centers, not for container management.

C. Amazon Lightsail: Simplifies virtual private server (VPS) management but is not serverless or specialized for containers.

D. Amazon EC2: Provides virtual servers but requires more manual administration and is not serverless.

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available1. Amazon SQS is designed to provide a simpleand reliable way for customers to decouple and connect components (microservices) together using queues2. Queues are an important mechanism for providing fault tolerance and scalability in distributed systems, and help decouple different parts of your application3. The other options are not AWS services that are used specifically for sending messages between applications

AWS Outposts is an AWS service that meets the requirement of running AWS services on premises with access to the company network and the company’s VPC. AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, or local data storage2.

 Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing, data analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply5. Convertible Reserved Instances are a type of Reserved Instances that provide a significant discount (up to 54%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and allow users to change the instance family, size, operating system, or tenancy during the term. Standard Reserved Instances are another type of Reserved Instances that provide a larger discount (up to 75%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and do not allow users to change the instance attributes during the term. Dedicated Hosts are physical servers with Amazon EC2 instance capacity fully dedicated to the user’s use. They are suitable for users who have specific server-bound software licenses or compliance requirements.

Designing for automatic failover to healthy resources is an AWS best practice when designing AWS workloads to be operational even when there are component failures. This means that you should architect your system to handle the loss of one or more components without impacting the availability or performance of your application. You can use various AWS services and features to achieve this, such as Auto Scaling, Elastic Load Balancing, Amazon Route 53, Amazon CloudFormation, and AWS CloudFormation4.

 AWS Abuse team is the AWS group or team that the company should notify if it suspects that its AWS resources are being used for illegal activities. AWS Abuse team is a dedicated team that handles reports of abuse, such as spam, phishing, malware, denial-of-service attacks, and unauthorized access, involving AWS resources. The company can contact the AWS Abuse team byfilling out the [Report Abuse of AWS Resources form] or sending an email to abuse@amazonaws.com. The company should provide as much information as possible, such as the source and destination IP addresses, timestamps, log files, and screenshots, to help the AWS Abuse team investigate and take appropriate actions. For more information, see [Reporting Abuse] and [AWS Acceptable Use Policy].

AWS Storage Gateway is a hybrid cloud storage service that provides on-premises access to virtually unlimited cloud storage. You can use AWS Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. One of these use cases is tape-based backup, which allows you to store data backups on virtual tapes in the AWS Cloud. You can use the Tape Gateway feature of AWS Storage Gateway to extend your existing physical tape library to the AWS Cloud. Tape Gateway provides a virtual tape infrastructure that scales seamlessly with your backup needs and eliminates the operational burden of provisioning, scaling, and maintaining a physical tape infrastructure123. References: 1: CloudStorage Appliances, Hybrid Device - AWS Storage Gateway - AWS, 2: AWS Storage Gateway Documentation, 3: AWS Storage Gateway Features | Amazon Web Services

AWS Well-Architected Framework promotes AWS Cloud architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems. AWS Well-Architected Framework is a set of guidelines and best practices that help the user to evaluate and improve the architecture of their applications and workloads on AWS. AWS Well-Architected Framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar provides a set of design principles, questions, and best practices that help the user to achieve the desired outcomes for their systems.

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora PostgreSQL-Compatible Edition. It is a fully managed service that automatically scales up and down based on the application’s actual needs. Amazon Aurora Serverless is suitable for applications that have infrequent, intermittent, or unpredictable database workloads, and that do not require the full power and range of options provided by provisioned Aurora clusters. Amazon Aurora Serverless eliminates the need to provision and manage database instances, and reduces the management overhead associated with database administration tasks such as scaling, patching, backup, and recovery. References: Amazon Aurora Serverless, Choosing between Aurora Serverless and provisioned Aurora DB clusters, [AWS Cloud Practitioner Essentials: Module 4 - Databases in the Cloud]

AWS customers are responsible for enabling encryption of data at rest for Amazon Elastic Block Store (Amazon EBS). Amazon EBS encryption offers a simple encryption solution for your EBSvolumes that does not require you to build, maintain, and secure your own key management infrastructure. You can encrypt both the boot and data volumes of your EC2 instances. You can use AWS Key Management Service (AWS KMS) customer master keys (CMKs) or your own CMKs to encrypt your volumes2.

 Consolidated billing is an AWS feature that allows users to combine the usage and costs of multiple AWS accounts into a single bill. This enables users to obtain billing discounts that are based on the company’s use of AWS services, such as volume pricing tiers, Reserved Instance discounts, andSavings Plans discounts5. Resource tagging is an AWS feature that allows users to assign metadata to AWS resources, such as EC2 instances, S3 buckets, and Lambda functions. This enables users to organize, track, and manage their AWS resources, such as filtering, grouping, and reporting. Pay-as-you-go pricing is an AWS pricing model that allows users to pay only for the resources and services they use, without any upfront or long-term commitments. This enables users to lower their costs by scaling up or down as needed, and avoiding over-provisioning or under-utilization. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing, data analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply.

Amazon Route 53 is the AWS service that provides DNS resolution. DNS (Domain Name System) is a service that translates domain names into IP addresses. Amazon Route 53 is a highly available and scalable cloud DNS service that offers domain name registration, DNS routing, and health checking. Amazon Route 53 can route the traffic to various AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront. Amazon Route 53 can also integrate with other AWS services, such as AWS Certificate Manager, AWS Shield, and AWS WAF. For more information, see [What is Amazon Route 53?] and [Amazon Route 53 Features].

 Amazon S3 offers unlimited storage for any amount of data. You can store as many objects as you want, and each object can be as large as 5 terabytes. You pay only for the storage space that you actually use, and there are no minimum commitments or upfront fees. Amazon S3 also provides high durability, availability, scalability, and security for your data.

 Increased business agility is a benefit of moving to the AWS Cloud in terms of improving time to market. Business agility refers to the ability of a company to adapt to changing customer needs, market conditions, and competitive pressures. Moving to the AWS Cloud enables business agility by providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By using the AWS Cloud, companies can launch new products and services, experiment with new ideas, and respond to customer feedback more quickly and efficiently. For more information, see [Benefits of Cloud Computing] and [Business Agility].

 AWS Shield Standard is a service that provides protection against Distributed Denial of Service (DDoS) attacks for all AWS customers at no additional charge. It automatically detects and mitigates the most common and frequently occurring network and transport layer DDoS attacks that target AWS resources, such as Amazon EC2 instances, Elastic Load Balancers, Amazon CloudFront distributions, and Amazon Route 53 hosted zones. AWS Firewall Manager is a service that allows users to centrally configure and manage firewall rules across their AWS accounts and resources, such as AWS WAF web ACLs, AWS Shield Advanced protections, and Amazon VPC security groups. AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It analyzes the behavior of the applications and checks for vulnerabilities, exposures, and deviations from best practices.

Deploying the application by using multiple Availability Zones is the best way to increase resilience for the application. According to the Amazon RDS User Guide, "Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups."4 Deploying a copy of the application in another AWS account, using multiple VPCs, or using multiple subnets do not provide the same level of resilience as using multiple Availability Zones.

Compute Savings Plans are a flexible and cost-effective way to optimize long-term compute costs of AWS Lambda functions and Amazon EC2 instances. With Compute Savings Plans, customers can commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year termand receive a discount of up to 66% compared to On-Demand prices3. Dedicated Hosts are physical servers with EC2 instance capacity fully dedicated to the customer’s use. They are suitable for customers who have specific server-bound software licenses or compliance requirements4. Reserved Instances are a pricing model that provides a significant discount (up to 75%) compared to On-Demand pricing and a capacity reservation for EC2 instances. They are available in 1-year or 3-year terms and different payment options5. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for customers who have flexible start and end times, can withstand interruptions, and can handle excess capacity.

AWS Secrets Manager is an AWS service that can be used to securely store and encrypt passwords for a database. It allows users to manage secrets, such as database credentials, API keys, and tokens, in a centralized and secure way. It also provides features such as automatic rotation, fine-grained access control, and auditing. AWS Shield is an AWS service that provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources and services. It does not store or encrypt passwords for a database. AWS Identity and Access Management (IAM) is an AWS service that allows users to manage access to AWS resources and services. It can be used to create users, groups, roles, and policies that control who can do what in AWS. It does not store or encrypt passwords for a database. Amazon Cognito is an AWS service that provides user identity and data synchronization for web and mobile applications. It can be used to authenticate and authorize users, manage user profiles, and sync user data across devices. It does not store or encrypt passwords for a database.

Amazon Redshift is the service that meets the requirements of using standard SQL to query and combine exabytes of structured and semi-structured data across a data warehouse, operational database, and data lake. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that allows you to run complex analytic queries using standard SQL and your existing business intelligence tools. Amazon Redshift also supports Redshift Spectrum, a feature that allows you to directly query and join data stored in Amazon S3 using the same SQL syntax. Amazon Redshift can scale up or down to handle any volume of data and deliver fast query performance5

 Resource elasticity is an AWS value proposition that describes a user’s ability to scale infrastructure based on demand. Resource elasticity means that the user can provision or deprovision resources quickly and easily, without any upfront commitment or long-term contract. Resource elasticity can help the user optimize the cost and performance of the application, as well as respond to changing business needs and customer expectations. Resource elasticity can be achieved by using services such as Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon ECS, and AWS Lambda. [AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com

 The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. The concept of elasticity represents a system’s ability to adapt to changes in demand by scaling resources up or down automatically. Therefore, the correct answer is B. You can learn more about the AWS Well-Architected Framework and its pillars

 AWS Config and service control policies (SCPs) are AWS services or features that the company can use to create and define controls (guardrails) in a newly created AWS Control Tower landing zone. AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. It can be used to create rules that check for compliance with the desired configurations and report any deviations. AWS Control Tower provides a set of predefined AWS Config rules that can be enabled as guardrails to enforce compliance across the landing zone1. Service control policies (SCPs) are a type of policy that can be used to manage permissions in AWS Organizations. They can be used to restrict the actions that the users and roles in the member accounts can perform on the AWS resources. AWS Control Tower provides a set of predefined SCPsthat can be enabled as guardrails to prevent access to certain services or regions across the landing zone2. Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for AWS accounts and resources. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. AWS Identity and Access Management (IAM) is a service that allows users to manage access to AWS resources and services. It can be used to create users, groups, roles, and policies that control who can do what in AWS. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They can be used to allow or deny access to an EC2 instance based on the port, protocol, and source or destination. They are not a feature that can be used to create and define controls (guardrails) in a landing zone.

The AWS service that is used to temporarily provide federated security credentials to a user is AWS Security Token Service (AWS STS). AWS STS is a service that enables customers to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that they authenticate (federated users). The company can use AWS STS to grant federated users access to AWS resources without creating permanent IAM users or sharing long-term credentials. AWS STS helps customers manage and secure access to their AWS resources for federated users. Amazon GuardDuty, AWS Secrets Manager, and AWS Certificate Manager are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and resources.AWS Secrets Manager is a service that helps customers manage and rotate secrets, such as database credentials, API keys, and passwords. AWS Certificate Manager is a service that helps customers provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. These services are more useful for different types of security and compliance tasks, rather than providing temporary federated security credentials to a user.

 Applying security requirements at all layers of a process is a policy that complies with guidance in the security pillar of the AWS Well-Architected Framework. The security pillar of the AWS Well-Architected Framework provides best practices for securing the user’s data and systems in the AWS Cloud. One of the design principles of the security pillar is to apply security at all layers, which means that the user should implement defense-in-depth strategies and avoid relying on a single security mechanism. For example, the user should use multiple security controls, such as encryption, firewalls, identity and access management, and logging and monitoring, to protect their data and resources at different layers.

 The common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform perspective are IT architects and engineers. The AWS CAF is a guidance that helps organizations design and travel an accelerated path to successful cloud adoption. The AWS CAF organizes thecloud adoption process into six areas of focus, called perspectives, which are business, people, governance, platform, security, and operations. Each perspective is divided into capabilities, which are further divided into skills and responsibilities. The platform perspective focuses on the provisioning and management of the cloud infrastructure and services that support the business applications. The platform perspective capabilities are design, implementation, and optimization. The stakeholders for the platform perspective are the IT architects and engineers who are responsible for designing, implementing, and optimizing the cloud platform. Chief financial officers (CFOs), chief information officers (CIOs), and chief data officers (CDOs) are not the common stakeholders for the AWS CAF platform perspective. CFOs are the common stakeholders for the AWS CAF business perspective, which focuses on the value realization of the cloud adoption. CIOs are the common stakeholders for the AWS CAF governance perspective, which focuses on the alignment of the IT strategy and processes with the business strategy and goals. CDOs are the common stakeholders for the AWS CAF security perspective, which focuses on the protection of the information assets and systems in the cloud.

 The correct answer is A because an Availability Zone consists of one or more data centers in a single location. An Availability Zone is an isolated location within an AWS Region that has independent power, cooling, and networking. Each Availability Zone has one or more data centers that host the physical servers and storage devices that run the AWS services. The other options are incorrect because they are not accurate descriptions of an Availability Zone. Two or more data centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within an AWS Region. One or more physical hosts in a single data center are not an Availability Zone, butrather the components of a data center within an Availability Zone. Two or more physical hosts in multiple data centers are not an Availability Zone, but rather the components of multiple data centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local Zones]

The correct answer is A because Amazon DynamoDB is a key-value database that provides sub-millisecond latency on a large scale. Amazon DynamoDB is a fully managed, serverless, and scalable NoSQL database service that supports both key-value and document data models. The other options are incorrect because they are not key-value databases. Amazon Aurora is a relational database that is compatible with MySQL and PostgreSQL. Amazon DocumentDB (with MongoDB compatibility) is a document database that is compatible with MongoDB. Amazon Neptune is a graph database that supports property graph and RDF models. Reference: Amazon DynamoDB FAQs

Amazon Kendra is a service that provides a highly accurate and easy-to-use enterprise search service that is powered by machine learning. Kendra delivers powerful natural language search capabilities to your websites and applications so your end users can more easily find the information they need within the vast amount of content spread across your company. Amazon SageMaker is a service that provides a fully managed platform for data scientists and developers to quickly and easily build, train, and deploy machine learning models at any scale. Amazon Augmented AI (Amazon A2I) is a service that makes it easy to build the workflows required for human review of ML predictions. Amazon A2I brings human review to all developers, removing the undifferentiated heavy lifting associated with building human review systems or managing large numbers of human reviewers. Amazon Polly is a service that turns text into lifelike speech, allowing you to create applications that talk, and build entirely new categories of speech-enabled products. None of these services provide an enterprise search service that is powered by machine learning.

 AWS Regions are geographic areas around the world where AWS has clusters of data centers. Each AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area. By hosting the customer’s data in a specific AWS Region, the company can meet the requirement of hosting the data in the customer’s country. AWS Shield is a service that provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. Amazon S3 Object Lock is afeature that allows you to store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Placement groups are logical grouping of instances within a single Availability Zone. Placement groups enable applications to participate in a low-latency, 10 Gbps network. None of these services or infrastructure components can help the company host the customer’s data in a different country.

Amazon Virtual Private Cloud (Amazon VPC) is the AWS service that allows customers to create multiple isolated networks in the same AWS account. A VPC is a logically isolated section of the AWS Cloud where customers can launch AWS resources in a virtual network that they define. Customers can create multiple VPCs within an AWS account, each with its own IP address range, subnets, route tables, security groups, network access control lists, gateways, and other components. AWS Transit Gateway, Internet gateway, and Amazon EC2 are not services or components that provide the functionality of creating multiple isolated networks in the same AWS account. AWS Transit Gateway is a service that enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway. An Internet gateway is a component that enables communication between instances in a VPC and the Internet. Amazon EC2 is a service that provides scalable compute capacity in the cloud34

Amazon ElastiCache is a fully managed in-memory data store service that is compatible with open source engines such as Redis and Memcached1. It provides fast and scalable performance for applications that require high throughput and low latency1. Amazon DynamoDB is a fully managed NoSQL database service that provides consistent and single-digit millisecond latency at any scale2. Amazon EBS is a block storage service that provides persistent and durable storage volumes for Amazon EC2 instances3. Amazon Redshift is a fully managed data warehouse service that allows users to run complex analytic queries using SQL4.

Amazon RDS and Amazon EC2 are two AWS services that you can use to host and run a MySQL database. Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud. You can use Amazon RDS to launch a MySQL database instance and let Amazon RDS manage common database tasks such as backups, patching, scaling, and replication6. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. You can use Amazon EC2 to launch a virtual server and install MySQL software on it. You have complete control over your database configuration, but you are responsible for managing and maintaining the database software and the underlying infrastructure7. Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon MQ is a managed message broker service for Apache ActiveMQ. None of these services can help you host and run a MySQL database.

Managing service control policies (SCPs) is an activity that companies can complete by using AWS Organizations. AWS Organizations is a service that enables the user to consolidate multiple AWS accounts into an organization that can be managed as a single unit. AWS Organizations allows the user to create groups of accounts and apply policies to them, such as service control policies (SCPs) that specify the services and actions that users and roles can access in the accounts. AWS Organizations also enables the user to use consolidated billing, which combines the usage and charges from all the accounts in the organization into a single bill3.

The solution that meets the requirement of the company that runs a database on Amazon Aurora in the us-east-1 Region and has a disaster recovery requirement that the database be available inanother Region with minimal disruption to the database operations is to deploy Aurora cross-Region read replicas. Aurora cross-Region read replicas are secondary Aurora clusters that are created in a different AWS Region from the primary Aurora cluster, and are kept in sync with the primary cluster using physical replication. The company can use Aurora cross-Region read replicas to improve the availability and durability of the database, as well as to reduce the recovery time objective (RTO) and recovery point objective (RPO) in case of a regional disaster. Performing an Aurora Multi-AZ deployment, creating Amazon EBS volume snapshots for Aurora and copying them to another Region, and deploying Aurora Replicas are not the best solutions for this requirement. An Aurora Multi-AZ deployment is a configuration that creates one or more Aurora Replicas within the same AWS Region as the primary Aurora cluster, and provides automatic failover in case of an Availability Zone outage. However, this does not provide cross-Region disaster recovery. Creating Amazon EBS volume snapshots for Aurora and copying them to another Region is a manual process that requires stopping the database, creating the snapshots, copying them to the target Region, and restoring them to a new Aurora cluster. This process can cause significant downtime and data loss. Deploying Aurora Replicas is a configuration that creates one or more secondary Aurora clusters within the same AWS Region as the primary Aurora cluster, and provides read scaling and high availability. However, this does not provide cross-Region disaster recovery.

The correct answers to the questions are B and E because reliability and operational excellence are pillars of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The AWS Well-Architected Framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar has a set of design principles that describe the characteristics of a well-architected system. Reliability is the pillar that focuses on the ability of a system to recover from failures and meet business and customer demand. Operational excellence is the pillar that focuses on the ability of a system to run and monitor processes that support business outcomes and continually improve. The other options are incorrect because they are not pillars of the AWS Well-Architected Framework. Availability, scalability, and responsive design are important aspects of cloud architecture, but they are not separate pillars in the framework. Availability and scalability are related to the reliability and performance efficiency pillars, while responsive design is related to the customer experience and user interface. Reference: AWS Well-Architected Framework

Amazon CloudFront with Amazon S3 is a solution that allows you to provide static files securely to users from around the world. Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. You can use Amazon S3 to store and retrieve any amount of data from anywhere. You can also configure Amazon S3 to work with Amazon CloudFront to distribute your content to edge locations near your users for faster delivery and lower latency. Amazon Kinesis Data Streams is a service that enables you to build custom applications that process or analyze streaming data for specialized needs. This option is not relevant for providing static files securely. Amazon EC2 instances with an Application Load Balancer is a solution that allows you to distribute incoming traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This option is suitable for dynamic web applications, but not necessary for static files. Amazon Elastic File System (Amazon EFS) is a service that provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. This option is not relevant for providing static files securely.

Elastic Load Balancing (ELB) distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, ensuring better application availability and fault tolerance. While ELB scales to meet traffic demands, it does not inherently scale compute resources themselves, span multiple regions, or balance traffic between internet gateways.

AWS Artifact is the service that will provide the information about whether a specific AWS service is compliant with specific compliance frameworks. AWS Artifact is a self-service portal that allows you to access, review, and download AWS security and compliance reports and agreements. You canuse AWS Artifact to verify the compliance status of AWS services across various regions and compliance programs, such as ISO, PCI, SOC, FedRAMP, HIPAA, and more12

 The correct answer is B because security groups are AWS features that act as instance-level firewalls to control inbound and outbound access. Security groups are virtual firewalls that can be attached to one or more Amazon EC2 instances. Users can configure rules for security groups to allow or deny traffic based on protocols, ports, and source or destination IP addresses. The other options are incorrect because they are not AWS features that act as instance-level firewalls to control inbound and outbound access. Network access control list is an AWS feature that acts as a subnet-level firewall to control inbound and outbound access. AWS Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault tolerance. Virtual private gateways are AWS features that enable users to create a secure and encrypted connection between their VPC and their on-premises network. Reference: Security Groups for Your VPC

 AWS Enterprise Support is the AWS Support plan that includes an AWS concierge whom the company can ask for assistance. According to the AWS Support Plans page, AWS Enterprise Support provides "a dedicated Technical Account Manager (TAM) who provides advocacy and guidance to help plan and build solutions using best practices, coordinate access to subject matter experts, and proactively keep your AWS environment operationally healthy."2 AWS Business Support, AWS Developer Support, and AWS Basic Support do not include a TAM or a concierge service.

Amazon EC2 Auto Scaling is the AWS service or tool that can help the company launch the number of EC2 instances that will be needed to handle the workload. Amazon EC2 Auto Scaling automatically adjusts the capacity of the EC2 instances based on the demand and the predefined scaling policies. Amazon EC2 Auto Scaling also helps to improve availability and reduce costs by scaling in and out as needed. For more information, see What is Amazon EC2 Auto Scaling? and [Getting Started with Amazon EC2 Auto Scaling].

Amazon Workspaces is the AWS service that provides the functionality of remotely accessing virtual desktop computers from the internet. Amazon Workspaces is a fully managed, secure desktop-as-a-service (DaaS) solution that allows users to provision cloud-based virtual desktops and access them from anywhere, using any supported device. Amazon Workspaces helps users reduce the complexity and cost of managing and maintaining physical desktops, and provides a consistent and secure user experience

A benefit of decoupling an AWS Cloud architecture is the ability to upgrade components independently. Decoupling is a way of designing systems to reduce interdependencies and minimize the impact of changes. Decoupling allows components to interact with each other through well-defined interfaces, rather than direct references. This reduces the risk of failures and errors propagating across the system, and enables greater scalability, availability, and maintainability. By decoupling an AWS Cloud architecture, the user can upgrade or modify one component without affecting the other components5.

 The ability to deploy to AWS on a global scale is a cloud benefit that AWS offers to its users. AWS has a global infrastructure that consists of AWS Regions, Availability Zones, and edge locations. Users can choose from multiple AWS Regions around the world to deploy their applications and data closer to their end users, while also meeting their compliance and regulatory requirements. Users can also leverage AWS services, such as Amazon CloudFront, Amazon Route 53, and AWS Global Accelerator, to improve the performance and availability of their global applications. AWS also provides tools and guidance to help users optimize their global deployments, such as AWS Well-Architected Framework, AWS CloudFormation, and AWS Migration Hub. AWS Global Infrastructure [AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com

 The perspective of the AWS Cloud Adoption Framework (AWS CAF) that connects technology and business is governance. The governance perspective focuses on the alignment of the IT strategy and processes with the business strategy and goals, as well as the management of the IT budget, risk, and compliance. The governance perspective capabilities are portfolio management, business performance management, and IT governance. The governance perspective helps organizations ensure that their cloud adoption delivers the expected business value and outcomes, and that their cloud solutions are secure, reliable, and compliant. Operations, people, and security are other perspectives of the AWS CAF, but they do not directly connect technology and business. The operations perspective focuses on the management and monitoring of the cloud resources and applications, as well as the automation and optimization of the operational processes. The people perspective focuses on the development and empowerment of the human resources, as well as the transformation of the organizational culture and structure. The security perspective focuses on the protection of the information assets and systems in the cloud, as well as the implementation of the security policies and controls.

 AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. With AWS Organizations, you can create a single payment method for all the AWS accounts in your organization through consolidated billing. Consolidated billing enables you to see a combined view of AWS charges incurred by all accounts in your organization, as well as get a detailed cost report for each individual AWS account associated with your organization. AWS Artifact is a service that provides on-demand access to AWS’ security and compliance reports and select online agreements. AWS Budgets is a service that enables you to plan your service usage, service costs, and instance reservations. AWS Trusted Advisor is a servicethat provides real-time guidance to help you provision your resources following AWS best practices. None of these services or tools offer consolidated billing.

AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use AWS Service Catalog to centrally manage commonly deployed IT services and help your organization achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need1. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS software development kits (SDKs) are tools that enable you to easily integrate your applications with AWS services using your preferred programming language. AWS AppSync is a service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. None of these services can help you limit your employees’ AWS access to a portfolio of predefined AWS resources.

The Amazon S3 Intelligent-Tiering storage class offers automatic cost savings by moving objects between tiers based on access pattern changes. This storage class is designed for data with unknown or changing access patterns. It has two access tiers: frequent access and infrequent access. Objects are stored in the frequent access tier by default, and are moved to the infrequent access tier after 30 consecutive days of no access. If an object in the infrequent access tier is accessed, it is moved back to the frequent access tier. There are no retrieval fees in S3 Intelligent-Tiering, and no additional tiering fees when objects are moved between access tiers within the S3 Intelligent-Tiering storage class1.

 Pay-as-you-go pricing is the feature of the AWS Cloud that gives users the ability to pay based on current needs rather than forecasted needs. Pay-as-you-go pricing means that users only pay for theAWS services and resources they use, without any upfront or long-term commitments. This allows users to scale up or down their usage depending on their changing business requirements, and avoid paying for idle or unused capacity. Pay-as-you-go pricing also enables users to benefit from the economies of scale and lower costs of AWS as they grow their business5

Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into microservices is an example of a loosely coupled architecture. A loosely coupled architecture is one where the components are independent and can communicate with each other through well-defined interfaces. This allows for greater scalability, flexibility, and resilience. A tightly coupled architecture is one where the components are interdependent and rely on each other for functionality. This can lead to increased complexity, fragility, and difficulty in changing or scaling the system. Amazon ECS OverviewAWS Well-Architected Framework

AWS Lambda is a service that lets you run code without provisioning or managing servers. You can use Lambda to process event notifications from Amazon S3 when objects are uploaded or deleted. Lambda integrates directly with the event notification and invokes your code automatically. Therefore, the correct answer is A. 

 The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys. Reference: AWS CloudHSM FAQs

 Amazon Elastic File System (Amazon EFS) and Amazon FSx offer file storage. File storage is a type of storage that organizes data into files and folders, and allows multiple users or applications to access and share the same files over a network. Amazon EFS is a fully managed, scalable, and elastic file system that supports the Network File System (NFS) protocol and can be used with Amazon EC2 instances and AWS Lambda functions. Amazon FSx is a fully managed service that provides two file system options: Amazon FSx for Windows File Server, which supports the Server Message Block(SMB) protocol and is compatible with Microsoft Windows applications; and Amazon FSx for Lustre, which is a high-performance file system that is optimized for compute-intensive workloads

 The AWS tool that will meet the requirements of the company that is planning a migration to the AWS Cloud and wants to examine the costs that are associated with different workloads is AWS Pricing Calculator. AWS Pricing Calculator is a tool that helps customers estimate the cost of using AWS services based on their requirements and preferences. The company can use AWS Pricing Calculator to compare the costs of different AWS services and configurations, such as Amazon EC2, Amazon S3, Amazon RDS, and more. AWS Pricing Calculator also provides detailed breakdowns of the cost components, such as compute, storage, network, and data transfer. AWS Pricing Calculator helps customers plan and optimize their cloud budget and migration strategy. AWS Budgets, AWS Cost Explorer, and AWS Cost and Usage Report are not the best tools to use for this purpose. AWSBudgets is a tool that helps customers monitor and manage their AWS spending and usage against predefined budget limits and thresholds. AWS Cost Explorer is a tool that helps customers analyze and visualize their AWS spending and usage trends over time. AWS Cost and Usage Report is a tool that helps customers access comprehensive and granular information about their AWS costs and usage in a CSV or Parquet file. These tools are more useful for tracking and optimizing the existing AWS costs and usage, rather than estimating the costs of different workloads34

 Cost Explorer is an AWS service or tool that can be used to forecast AWS spending. It allows users to analyze their AWS costs and usage using interactive graphs and tables. It also provides features such as filtering, grouping, and forecasting to help users plan their future spending. Amazon DevPay is an AWS service that allows developers to sell applications that are built on AWS services. It handles the billing and metering for the customers of the applications and collects payments from them. It is not a tool for forecasting AWS spending. AWS Organizations is an AWS service that allows users to centrally manage and govern their AWS accounts. It provides features such as creating groups of accounts, applying policies, and automating account creation. It is not a tool for forecasting AWS spending. AWS Trusted Advisor is an AWS service that provides best practices and recommendations to optimize the performance, security, and cost of AWS resources. It can helpusers identify opportunities to reduce their AWS costs, but it is not a tool for forecasting AWS spending

Spot Instancesare the most cost-effective EC2 instance purchasing option for batch workloads that can handle interruptions and can be restarted from where they left off. Spot Instances offer significant cost savings (up to 90%) over On-Demand Instances by using spare EC2 capacity. They are ideal for workloads that are fault-tolerant and flexible in terms of timing.

A. Reserved Instances: Incorrect, as they require a long-term commitment and do not offer the flexibility needed for short-term, interruptible workloads.

C. Dedicated Instances: Incorrect, as they are designed to run on hardware dedicated to a single customer, which is more expensive.

D. On-Demand Instances: Incorrect, as they are more expensive than Spot Instances and are used for applications that require immediate or predictable capacity.

AWS Cloud References:

Amazon EC2 Spot Instances

 The correct answer is B because ensuring the environmental safety and security of the AWS infrastructure that hosts Workspaces is the responsibility of AWS, according to the AWS shared responsibility model. The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the virtualization layer that separates the customer instances and storage. The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management, the firewall configuration, and the encryption. The other options are incorrect because they are the responsibility of the customer, according to the AWS shared responsibility model. Setting up multi-factor authentication (MFA) for each Workspaces user account, providing security for Workspaces user accounts through AWS Identity and Access Management (IAM), configuring AWS CloudTrail to log API calls and user activity, and encrypting data at rest and in transit are all tasks that the customer has to perform to secure their Workspaces environment. Reference: AWS Shared Responsibility Model, Amazon WorkSpaces Security

The advantages of moving to the AWS Cloud are the ability to use the pay-as-you-go model and no longer having to guess what capacity will be required. The pay-as-you-go model allows the user to pay only for the resources they use, without any upfront or long-term commitments. This reduces the cost and risk of over-provisioning or under-provisioning resources. No longer having to guess what capacity will be required means that the user can scale their resources up or down according to the demand, without wasting money on idle resources or losing customers due to insufficient capacity4.