SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Question and Answers

To handle increased loads effectively, it ' s essential to implement Auto Scaling for both frontend and backend tiers:

Frontend Auto Scaling Group: Scaling based on incoming network traffic ensures that the application can handle increased user requests.

Backend Auto Scaling Group: Scaling based on the Amazon SQS queue backlog ensures that the backend can process messages as they arrive, preventing delays.

This approach allows each tier to scale independently based on its specific load, ensuring optimal resource utilization and performance.

Amazon RDS Proxy helps manage and pool database connections from serverless compute like AWS Lambda, significantly reducing the stress on the database during unpredictable traffic surges. It improves scalability and resiliency by efficiently managing connections, protecting the database from being overwhelmed, and enabling failover handling.

Option A is the most cost-effective and operationally efficient approach to handling unpredictable surges and improving resilience without requiring major application changes.

Option B involves a migration to DynamoDB, which is a significant architectural change and costlier initially. Option C is manual connection cleanup, insufficient for unpredictable surges. Option D increases resources but does not solve connection storm problems efficiently and is more costly.

The correct answer is C because the existing application uses NFS storage for an image cache that is a few terabytes in size , and the company wants the most cost-effective cloud alternative . Amazon EFS One Zone is a managed file storage service that supports the NFS protocol , which allows the application to continue using a familiar file-based interface with minimal architectural change. Because this is a cache , not primary durable data, storing it in a One Zone file system is a cost-optimized choice compared with a Regional EFS deployment.

Amazon EFS is designed for shared file storage and can scale to multiple terabytes automatically. It avoids the operational overhead of managing EC2 instances and local disks for cache storage. It is also better aligned than object storage for workloads that already expect direct NFS semantics. The application can mount the EFS file system and use it as the cache backend without redesigning around object APIs or in-memory caching models.

Option A is incorrect because ElastiCache Memcached is an in-memory cache and is typically much more expensive for multi-terabyte cache data than file storage. Option B is incorrect because using EC2 instance store volumes creates significant management overhead and the cache would be lost whenever instances are terminated or replaced. Option D is incorrect because Amazon S3 Express One Zone is object storage, not NFS storage, and would require application redesign and additional metadata management in DynamoDB.

AWS storage guidance recommends matching file-based workloads to managed file services. For a large NFS-based cache , Amazon EFS One Zone is the most cost-effective and operationally simple solution.

Maintaining two NAT gateways for production ensures high availability. Reducing to one NAT gateway in non-production environments lowers cost while maintaining necessary connectivity. This approach is recommended by AWS for cost optimization in non-critical environments.

Reference Extract:

" For environments that do not require high availability, you can reduce costs by using a single NAT gateway and updating route tables accordingly. "

Source: AWS Certified Solutions Architect – Official Study Guide, Cost Optimization and NAT Gateway section.

This solution meets the company ' s requirements with minimal administrative overhead and ensures security and ease of management.

AWS AppConfig: AWS AppConfig is a service designed to manage application configuration in a secure and validated way. It allows you to deploy configurations safely and quickly without affecting the application ' s performance or availability.

AWS Secrets Manager: AWS Secrets Manager is specifically designed to manage, retrieve, and rotate credentials for databases and other services. It integrates seamlessly with AWS services like Amazon RDS, making it an ideal solution for securely storing and retrieving database credentials. Secrets Manager also provides automatic rotation of credentials, reducing the operational burden.

Why Not Other Options?:

Option B (AWS Lambda + Parameter Store): While AWS Lambda can be used for managing configurations and AWS Systems Manager Parameter Store can store credentials, this approach involves more manual setup and does not offer the same level of integrated management and security as AppConfig and Secrets Manager.

Option C (Encrypted S3 Configuration File): Storing configuration and credentials in S3 files involves more manual management and security considerations, increasing the administrative overhead.

Option D (AppConfig + RDS for credentials): RDS is not designed for storing application credentials; it ' s better suited for managing database instances and their configurations.

AWS References:

AWS AppConfig- Describes how to use AWS AppConfig for managing application configurations.

AWS Secrets Manager- Provides details on securely storing and retrieving credentials using AWS Secrets Manager.

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

The first step is to configure a delegated administrator account for IAM Access Analyzer at the organization level. Only after delegating the administrator account can you aggregate Access Analyzer findings from all member accounts into a designated audit account. This must be set up in the AWS Organizations management account.

AWS Documentation Extract:

“You must designate a delegated administrator for IAM Access Analyzer at the organization level. The delegated administrator account aggregates findings from all member accounts.”

(Source: IAM Access Analyzer documentation)

A, C, D: These steps do not establish the organization-wide aggregation required for Access Analyzer.

The correct answer is B because the company already runs the application on Kubernetes , and the application uses AMQP to communicate with a message queue. Amazon EKS is the AWS managed Kubernetes service, so migrating the containerized workload to Amazon EKS allows the company to preserve its existing Kubernetes-based deployment model while reducing the operational burden of managing the Kubernetes control plane. This is the most straightforward migration path for a Kubernetes application and avoids the need for significant re-architecture.

The messaging requirement is equally important. Because the application specifically uses AMQP , the best AWS managed service is Amazon MQ , which supports industry-standard messaging protocols including AMQP. This means the company can migrate the application with minimal code changes and without replacing the messaging pattern already built into the application.

Option A is incorrect because Amazon SQS does not support AMQP and would require application changes. Option C is incorrect because running the application on EC2 instances creates more infrastructure management overhead than using a managed container orchestration service. Option D is incorrect because AWS Lambda is not a natural fit for an existing containerized Kubernetes application that depends on AMQP-based messaging, and SQS again does not satisfy the AMQP requirement.

AWS architectural best practices favor managed services that minimize undifferentiated operational work. Amazon EKS reduces Kubernetes control plane management, and Amazon MQ preserves protocol compatibility. Together, they provide the required scalability on AWS with the least operational overhead while supporting the company’s current architecture.

When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution. Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities. Therefore, option D is the correct design.

AWS recommends using AWS IAM Identity Center (formerly AWS SSO) for centralized authentication and access control across multiple accounts in an AWS Organization, especially when integrating with an external IdP.

From AWS Documentation:

“Use IAM Identity Center to provide centralized access to multiple AWS accounts or applications. You can integrate with an external IdP via SAML 2.0. Assign users permissions through permission sets that define the roles users can assume.”

(Source: AWS IAM Identity Center User Guide)

Why B and E are correct:

E enables centralized identity federation using IAM Identity Center with your external IdP.

B uses permission sets to apply least-privilege access roles to users and groups across accounts, in alignment with the principle of least privilege.

Why others are incorrect:

Option A: IAM users in each account break centralized access model and are hard to manage at scale.

Option C: Managing individual IAM roles and inline policies across accounts is not scalable.

Option D: Per-account SAML providers are redundant when using IAM Identity Center, which provides centralized federation.

The workload is Windows-based and requires a shared file system with SMB support and very high throughput for 4K video editing.

Amazon FSx for Windows File Server is a fully managed, highly available native Windows file system that supports the SMB protocol, Active Directory integration, and can deliver high throughput and low latency suitable for media workloads.

FSx for Windows File Server supports automatic storage scaling to grow file system capacity as data increases, matching the requirement of +1 TB per week with minimal admin effort.

A Multi-AZ SSD deployment provides high availability and performance.

Why others are not correct:

B: Amazon EFS is NFS, not SMB, and is optimized for Linux clients, not Windows-based environments.

C: FSx for Lustre is a high-performance POSIX file system typically used with Linux-based HPC workloads, not Windows + SMB.

D: S3 File Gateway is not designed for sustained multi-GB/s shared-edit performance and adds additional complexity; it is more suited for backup/archival and limited shared file access.

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.

Amazon API Gateway supportsresource policies, which allow you to control access to your API by specifying the IP addresses or ranges that can access the API. By creating a resource policythat explicitly denies access to any IP address outside the allowed set, you can ensure that only trusted IP addresses (such as those from your internal network) can access the critical information in your API. This approach provides fine-grained access control without the need for additional infrastructure or complex configurations.

Option A (Private integration): API Gateway private integrations are for creating private APIs that are only accessible within a VPC, but this solution is about restricting access to certain IP addresses.

Option C (Private subnet and ACLs): Deploying the API in a private subnet and using network ACLs adds unnecessary complexity and isn ' t the best fit for HTTP APIs.

Option D (Security group): API Gateway doesn ' t have a security group because it isn ' t a resource inside a VPC. Instead, resource policies are the correct mechanism for controlling IP-based access.

AWS References:

Controlling Access to API Gateway with Resource Policies

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of a baseline environment, or landing zone, that includes:

Service Control Policies (SCPs): These are used to manage permissions across AWS Organizations, allowing you to set permission guardrails. SCPs can restrict access to specific AWS services and actions, helping enforce security best practices.

Multi-Factor Authentication (MFA): AWS Control Tower can enforce MFA for the root user across all accounts, enhancing security.

Centralized Governance: It offers centralized logging and monitoring, making it easier to manage and audit multiple AWS accounts.

The most secure way to grant an external vendor’s AWS-hosted automation tool access into a company AWS account is to use cross-account IAM role assumption. Option A follows the standard AWS pattern: the company creates an IAM role in its own account that has only the permissions the vendor needs, and the role’s trust policy allows the vendor’s IAM role (in the vendor’s AWS account) to assume it. This approach avoids creating long-lived credentials in the company account and supports least privilege, auditing, and easy revocation.

With role assumption, the vendor continues to authenticate in its own AWS account and uses AWS STS to obtain temporary credentials when accessing the company account. Temporary credentials reduce exposure compared to access keys because they expire automatically and can be constrained with session duration, external IDs (where appropriate), and conditions. The company retains full control over permissions through the role policy, and CloudTrail can record AssumeRole events and subsequent API activity for auditing.

Option B is less secure because it creates an IAM user in the company account and would typically require managing long-lived credentials for the vendor tool, increasing the risk of leakage and ongoing operational overhead. Option C is not valid because IAM users are not shared across accounts; you cannot “add” a user from another account into an IAM group in your account. Option D is incorrect because “AWS account” is not a typical IAM identity provider type for this purpose; cross-account access is done through role trust policies, not by creating an IdP with an AWS account ID and username.

Therefore, A is the most secure solution because it uses short-lived credentials, enforces least privilege, centralizes control in the company account, and provides strong auditability without issuing permanent access keys.

A & B. GuardDuty:Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets.

C. Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.

D. Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.

AWS Lake Formation provides fine-grained (column-level) access control for data stored in S3. Using a Lake Formation blueprint ensures database ingestion is automated and governed.

QuickSight can query Athena, and Athena honors Lake Formation permissions, enforcing column-level controls automatically.

Options A, B, and C rely on manual filtering or IAM policies, which cannot enforce column-level authorization for SQL queries.

To enforce that IAM users can only access Amazon RDS and no other AWS services, the recommended approach is to use a Deny statement with NotAction. This ensures that all actions are denied except RDS actions. Options A and B do not fully achieve the restriction: A only allows RDS but does not explicitly deny access to other services if another policy grants access; B’s explicit Deny for “*” would override all other permissions, including the intended RDS Allow, which would result in no access at all. Option D with permissions boundaries still allows other attached policies to grant access outside RDS. Therefore, C is the correct approach to enforce RDS-only access.

For improving availability and performance of the hybrid application, the following solutions are optimal:

AWS Global Accelerator (Option A): Global Accelerator provides high availability and improves performance by using the AWS global network to route user traffic to the nearest healthy endpoint (across AWS Regions). By adding the Network Load Balancers as endpoints, Global Accelerator ensures that traffic is routed efficiently to the closest endpoint, improving both availability and performance.

Network Load Balancer (Option D): Thestateful TCP-based workloadhosted on Amazon EC2 instances and thestateless UDP-based workloadhosted on-premises are best served by Network Load Balancers (NLBs). NLBs are designed to handle TCP and UDP traffic with ultra-low latency and can route traffic to both EC2 and on-premises endpoints.

Option B (CloudFront and Route 53): CloudFront is better suited for HTTP/HTTPS workloads, not for TCP/UDP-based applications.

Option C (ALB): Application Load Balancers do not support the stateless UDP-based workload, making NLBs the better choice for both TCP and UDP.

AWS References:

AWS Global Accelerator

Network Load Balancer

The most cost-effective, secure way for private subnets to access AWS services without public IP addresses is to use VPC endpoints:

Interface endpoints (powered by AWS PrivateLink) for services like S3, DynamoDB, etc.

Traffic stays on the AWS network.

“You can privately connect your VPC to supported AWS services using interface VPC endpoints powered by AWS PrivateLink. Instances in your VPC do not require public IP addresses.”

— VPC Endpoints Documentation

Why not others:

NAT gateways incur hourly + data transfer costs and use public IPs.

Internet gateways expose traffic to the internet.

Direct Connect is for private on-prem connectivity, not needed here.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The key constraint is no application code changes, while the observed failure mode during spikes is heavy write load on the database that makes the site unresponsive. Scaling the web tier alone (Option B) may not help if the database is the bottleneck; in fact, adding more EC2 instances can increase concurrent write pressure and worsen the database overload. Caching (Option A) would require modifying the application to use Redis for query caching, which violates the no-code-change requirement. Option C is not a fit: CloudFront caching is effective for cacheable content, but authenticated, personalized pages are typically not cacheable without application changes, and “write throttle” is not a standard CloudFront feature to protect the database.

Migrating from RDS for MySQL to Amazon Aurora Serverless is a managed approach designed to automatically adjust database capacity to match workload demand, which is well suited to “low baseline traffic with occasional sudden spikes.” By setting an appropriate maximum capacity, Aurora Serverless can scale to handle bursts more gracefully than a fixed-size RDS instance, improving availability during unpredictable demand. This reduces operational overhead because capacity management is largely handled by the service rather than by manual instance resizing or complex scaling scripts.

The final step—configuring EC2 instances to connect to the new Aurora endpoint—is an infrastructure configuration change, not an application code rewrite. The application continues to speak the same MySQL-compatible protocol (Aurora MySQL-compatible), preserving compatibility while improving resilience to spikes.

Therefore, D best meets the requirement to improve availability during sudden traffic increases driven by heavy database writes, with minimal operational effort and no application code changes.

Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.

Option Arequires the management of IAM temporary credentials, adding complexity.

Option Cinvolves unnecessary development effort.

Option Dintroduces more complexity with STS and roles than pre-signed URLs.

Amazon Route 53 Resolver endpoints allow you to integrate DNS between AWS and on-premises environments easily. By creating inbound and outbound resolver endpoints, you can configure conditional forwarding rules so that DNS queries for your on-premises AD domain are forwarded to the on-premises DNS servers. This approach is fully managed, scales automatically, and requires the least administrative overhead.

AWS Documentation Extract:

" Route 53 Resolver provides DNS resolution between AWS and on-premises environments, using endpoints and forwarding rules to manage DNS query routing seamlessly. "

(Source: Route 53 Resolver documentation)

A, D: Require provisioning, managing, and patching EC2 servers or domain controllers.

B: NS records in a private hosted zone do not provide true DNS forwarding.

To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.

Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.

Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs. Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.

Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.

Amazon Aurora Serverless v2 provides cost-effective, on-demand, and auto-scaling database capacity. You pay only for actual usage, making it ideal for development and test environments that are not used continuously. It supports PostgreSQL and is suitable for variable and short-duration workloads, minimizing costs when databases are idle.

AWS Documentation Extract:

“Amazon Aurora Serverless v2 automatically adjusts database capacity based on application needs, ideal for development and test environments with intermittent usage.”

(Source: Aurora Serverless v2 documentation)

B: RDS instances run and accrue charges even when idle.

C, D: Aurora clusters/global databases are overkill and incur higher costs for dev/test.

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.

Memory Optimized Instances: These instances are designed to deliver fast performance for workloads that process large data sets in memory. They are ideal for high-performance databases like SAP and applications with high memory utilization.

High Memory Utilization: Both the SAP application and the SQL Server database have high memory demands as per the on-premises performance data. Memory optimized instances provide the necessary memory capacity and performance.

Instance Types:

For the SAP application, using a memory optimized instance ensures the application has sufficient memory to handle the high workload efficiently.

For the SQL Server database, memory optimized instances ensure optimal database performance with high memory throughput.

Operational Efficiency: Using the same instance family for both the application and the database simplifies management and ensures both components meet performance requirements.

AWS Transfer Family is a fully managed service that provides SFTP, FTPS, and FTP access directly to Amazon S3. It allows organizations to support legacy data transfer protocols without managing infrastructure. This approach gives the vendors a familiar SFTP interface, with files landing directly in S3, and requires minimal operational effort compared to managing EC2 servers or using gateways.

Reference Extract from AWS Documentation / Study Guide:

" AWS Transfer Family enables secure transfer of files directly into and out of Amazon S3 using SFTP, FTPS, and FTP, and is fully managed by AWS, significantly reducing operational overhead. "

Source: AWS Certified Solutions Architect – Official Study Guide, Data Migration and Transfer section.

Amazon API Gatewayprovides a scalable and reusable solution for interacting with DynamoDB without requiring direct access by developers. By setting up a REST API with a POST methodthat integrates with DynamoDB ' sPutItemaction, developers can submit data (such as user ratings) to the DynamoDB table through API Gateway, without having to directly interact with the database. This solution is serverless and minimizes operational overhead.

Option A: Using ALB with Lambda adds complexity and is less efficient for this use case.

Option B: While using Lambda is possible, API Gateway provides a more scalable, reusable interface.

Option C: SQS with Lambda introduces unnecessary components for a simple put operation.

AWS References:

Amazon API Gateway with DynamoDB

A. Mutual TLS:Provides secure communication but does not integrate with AWS credential exchange.

B. AWS Signature v4:Requires direct integration with AWS and is less secure for external systems.

C. Kerberos:Not natively supported for AWS API authentication.

D. IAM Roles Anywhere:Enables AWS API access using X.509 certificates without long-term credentials.

Amazon S3 Express One Zone provides single-digit millisecond latency and high throughput, making it ideal for ML workloads that require multiple compute nodes and fast access. It is also more cost-effective than traditional file or block storage for temporary, high-speed needs.

CloudFront Signed URLs: These URLs allow you to provide limited access to content that is being served through an Amazon CloudFront distribution. Signed URLs can be generated to grant time-limited access to premium customers.

Content Restriction:

By using CloudFront signed URLs, you can control access to your media streams and file content stored in S3.

These URLs can be customized with an expiration time, ensuring that access is only available for a specific period, which is useful for scenarios like movie rentals or music downloads.

Security and Flexibility:

Signed URLs ensure that only authenticated users (premium customers) can access the restricted content.

This approach integrates seamlessly with CloudFront and S3, providing an efficient way to manage access controls without additional overhead.

Operational Efficiency: Using CloudFront signed URLs leverages AWS managed services to handle the complexity of access control, reducing the need for custom implementation and maintenance.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is toprevent data deletion by any user, including administrators, for 7 years while allowing automatic deletion afterward.

S3 Object Lock in Compliance Mode (Correct Choice - C)

Compliance mode ensures that even the root user cannot delete or modify the objects during the retention period.

After 7 years, the S3 Lifecycle policy automatically deletes the objects.

This meets bothimmutability and automatic deletionrequirements.

Governance Mode (Option B - Incorrect)

Governance mode prevents deletion,but administrators can override it.

The requirement explicitly states thateven administrators must not be able to delete the data.

S3 Bucket Policy (Option A - Incorrect)

An S3 bucket policy candeny deletes, but policies can be modified at any time by administrators.

It does not enforce strict retention like Object Lock.

S3 Batch Operations Job (Option D - Incorrect)

A legal hold does not have an automatic expiration.

Legal holds must be manually removed, which is not efficient.

Why Option C is Correct:

S3 Object Lock in Compliance Mode prevents deletion by all users, including administrators.

The S3 Lifecycle policy deletes the data automatically after 7 years, reducing operational overhead.

Amazon EFS is a regional, elastic file system that “scales to petabytes” and can be accessed from “thousands of compute instances” concurrently. You can mount EFS across VPCs and across AWS accounts by providing network connectivity (e.g., VPC peering) to the EFS mount targets and allowing NFS (TCP 2049) in the mount target security group, optionally using EFS access points and a file system policy for cross-account access control. VPC peering has no hourly charge and minimal operational overhead, and EFS automatically scales as files are added—meeting the scalability and cost goals.

Option A duplicates data, incurs DataSync and extra storage costs, and adds sync lag.

Option C adds an extra Lambda hop and complexity without exposing a shared filesystem to the primary function.

Option D is impractical: Lambda layers are immutable artifacts with tight size limits (up to 50 MB compressed/250 MB uncompressed) and are not suited for dynamic, growing file sets.

The key requirements are shared storage, SMB protocol support, and least administrative overhead. Amazon FSx for Windows File Server is a fully managed AWS service designed specifically to provide native SMB file shares compatible with Windows-based workloads and SMB clients.

Option D is the optimal solution because FSx for Windows File Server eliminates the need to manage operating systems, patching, backups, file server clustering, and availability. AWS handles infrastructure management, scaling, and availability, while providing high-performance file storage that integrates seamlessly with Active Directory and supports standard Windows file permissions and SMB semantics. This makes it ideal for media applications that rely on shared file access.

Option A (Storage Gateway Volume Gateway) is designed primarily for hybrid environments that extend on-premises storage into AWS, not for cloud-native shared file systems. Option B (Tape Gateway) is intended for backup and archival workflows, not active file access. Option C requires significant operational overhead, including OS maintenance, security patching, scaling, and high availability design.

Therefore, D meets all requirements with the least administrative effort while providing a scalable, secure, and highly available SMB-compatible storage solution.

A. Aurora MySQL:Handles OLTP workloads efficiently with built-in replication and auto-scaling capabilities.

B. EC2 with MySQL:Requires heavy manual maintenance and does not scale seamlessly.

C. RDS for MySQL:Limited in auto-scaling compared to Aurora.

D. Redshift:Primarily for OLAP, not suitable for OLTP workloads.

Amazon Athenais a serverless query service that allows you to run SQL queries directly on data stored in Amazon S3 without the need for a data warehouse. It is cost-effective because you only pay for the queries you run, and it can handleApache Parquetfiles efficiently. Additionally, Athena integrates with KMS, making it suitable for querying encrypted data.

Key AWS features:

Cost-Effective: Athena charges only for the data scanned by the queries, making it a more cost-effective solution compared to Redshift or EMR for occasional queries.

Direct S3 Querying: Athena supports querying data directly in S3, including Parquet files, without needing to move the data.

AWS Documentation: Athena ' s compatibility with encrypted Parquet files in S3 makes it the ideal choice for this scenario, reducing both cost and complexity​​.

The correct answer is D because the company needs to authenticate users from an on-premises LDAP directory to the AWS Management Console , but the directory is not SAML-compatible . In this scenario, the AWS-recommended pattern is to use a custom identity broker that authenticates users against the existing LDAP directory and then requests temporary AWS credentials from AWS Security Token Service (AWS STS) . This enables federated access to AWS without creating long-term IAM user credentials for each person.

A custom identity broker serves as the intermediary between the non-SAML directory and AWS. After validating a user with LDAP, the broker can call AWS STS to issue short-lived credentials or console sign-in access. This approach preserves the use of the company’s existing identity source while meeting AWS security best practices for temporary credentials and centralized identity management.

Option A is incorrect because AWS IAM Identity Center typically relies on supported identity sources and federation methods, and the question explicitly states that the LDAP directory is not SAML-compatible. Option B is incorrect because IAM policies do not integrate directly into LDAP as an authentication mechanism. Option C is incorrect because rotating IAM credentials tied to LDAP changes still relies on long-term credentials and does not provide a proper federated sign-in model.

AWS federation guidance supports the use of a custom identity broker when an organization has a non-SAML-compatible identity system. Therefore, the best solution is to develop an on-premises custom identity broker that uses AWS STS to obtain short-lived credentials for AWS Management Console access.

A Network Load Balancer operates at Layer 4 (TCP/UDP/TLS) and is optimized for high performance and static IP use cases. While NLB target groups can perform health checks, they are typically oriented around basic reachability and do not provide the same application-layer (Layer 7) visibility as an Application Load Balancer (ALB). The problem statement says the NLB is “not detecting HTTP errors,” which indicates the health signal needs to be based on an HTTP endpoint that can reflect application correctness (for example, returning specific HTTP status codes).

Replacing the NLB with an ALB enables true HTTP/HTTPS health checks against a URL path, including interpretation of HTTP response codes. This is the cleanest managed approach to detect application-layer failure modes that still allow TCP connections but produce bad HTTP responses. Once the ALB detects targets as unhealthy, the target group health status can be used by an Auto Scaling group to take action. With appropriate health check configuration (and, commonly, using ELB health checks as a signal), Auto Scaling can replace unhealthy instances automatically, improving availability without custom scripts.

Option A is misleading: NLB does not provide the same HTTP-aware request routing and rich L7 features; even if an NLB health check is configured, it does not address the broader need for application-layer detection and remediation as directly as ALB. Option B violates the “no custom scripts” requirement. Option D reacts to UnhealthyHostCount, but if the NLB isn’t marking hosts unhealthy for HTTP error cases, the metric won’t reliably trigger replacement; it also still depends on the NLB’s limited visibility into HTTP failures.

Therefore, C best meets the requirement by shifting to ALB for application-layer health checks and using Auto Scaling to replace unhealthy instances automatically.

AWS Transit Gateway simplifies network connectivity by acting as a hub that can connect VPCs and on-premises networks through VPN or Direct Connect. It provides scalability and reduces administrative overhead by eliminating the need to manage complex peering relationships as the number of accounts and VPCs grows.

EKS lets teams “run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane,” and with AWS Fargate, you “run Kubernetes pods without managing servers,” reducing operational overhead for worker nodes. For the data layer, Amazon DocumentDB (with MongoDB compatibility) “supports the MongoDB API and drivers,” allowing existing MongoDB applications to work without application changes, while the service “automatically scales storage,” provides “high availability across multiple Availability Zones,” automatic backups, and patching. Because the company cannot change code or deployment methods, keeping Kubernetes (EKS) and the MongoDB API (DocumentDB compatibility) is essential. Options A and C either change the orchestrator (to ECS) or the database API (to DynamoDB), which would require code/deployment changes. Option A also leaves you managing EC2 nodes and a self-managed MongoDB on EC2, increasing ops burden. Therefore, EKS on Fargate + Amazon DocumentDB minimizes operations and preserves compatibility.

A Stored Volume Gateway stores the entire dataset locally on-premises while asynchronously and securely backing up the data to AWS. This meets the requirement for full local access and automatic transfer to AWS.

Cached Volume Gateway (Option C) keeps only frequently accessed data locally; the full dataset is stored in AWS, not on-premises.

Snowball and Snowball Edge (Options A and B) are migration tools, not ongoing backup solutions.

=====================================================

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.

Amazon Aurora PostgreSQL with Babelfish allows Aurora to understand SQL Server T-SQL and the SQL Server wire protocol. This enables applications to continue using SQL Server drivers, minimizing code changes (Option B).

Migration of schema and data is performed using AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) (Option C), which is the AWS-recommended migration pattern for heterogeneous database migrations.

AWS DMS (Option E) does not rewrite application SQL.

RDS Proxy (Option D) does not translate SQL Server protocols.

Option A requires rewriting application queries, which contradicts the “minimal changes” requirement.

The question focuses on minimizing costs while serving static content to users in the US and Europe.

Option Auses a single S3 bucket and configures CloudFront to limit edge locations, reducing costs by using fewer edge locations while still improving performance.

Option Bmaximizes edge locations, which increases costs unnecessarily.

Options C and Dinvolve storing data in multiple regions, which increases storage and operational costs.Thus, Option A is the most cost-effective solution.

The correct answer is A because the legacy mainframe requires a synchronous RESTful API and the new service takes approximately 3 minutes to complete each request. Among the choices, Amazon API Gateway REST API is the appropriate option for exposing a synchronous REST endpoint to the mainframe. API Gateway REST APIs support longer integration timeouts than HTTP APIs, which makes them more suitable for workloads that take an extended time to process. The REST API can invoke an AWS Lambda function to execute the stock price calculation and return the result synchronously.

Option B is incorrect because API Gateway HTTP APIs have a shorter integration timeout and are not the best fit for a request that takes around 3 minutes. Option C is incorrect because WebSocket APIs are not RESTful and do not meet the requirement for synchronous REST-based integration with the mainframe. Option D is incorrect because Lambda function URLs do not provide the same API management features and are not the best choice for a long-running synchronous enterprise integration requirement of this kind.

AWS design guidance favors API Gateway when exposing managed APIs to external consumers. In this case, the REST API option best matches the requirement for synchronous RESTful access while supporting the longer processing duration. It also provides a managed front door for authentication, throttling, and operational control if the company needs those features later.

One note of honesty: some exam versions treat the REST API timeout detail as the deciding factor here. That is the key reason REST API is preferred over HTTP API for this question.

AWS Global Accelerator is designed to improve the availability and performance of applications with global users by using the AWS global network. It provides static anycast IP addresses and routes user traffic over the AWS edge network to the optimal AWS Region and endpoint based on health, geography, and routing policies. Global Accelerator supports both TCP and UDP traffic and can have Network Load Balancers as endpoints.

For latency-sensitive workloads such as multiplayer gaming, Global Accelerator reduces latency and jitter compared to internet-based routing and handles Regional failover quickly.

CloudFront (Option A) is optimized for HTTP/HTTPS content caching and is not appropriate for arbitrary TCP/UDP gaming traffic. Application Load Balancers (Option B) do not support UDP traffic. API Gateway (Option D) is for HTTP APIs and is not suitable for raw TCP/UDP game traffic.

Amazon EC2 allows you to install and manage SQL Server directly on a Windows or Linux VM, giving you full access to the underlying operating system. This is required when you need to install custom agents, configure OS-level features, or have complete control over the environment.

Amazon RDS and Aurora are managed services and do not provide access to the underlying OS, nor does Redshift (which is a data warehouse, not SQL Server).

AWS Documentation Extract:

" If you require access to the underlying operating system or need to install custom software, use SQL Server on Amazon EC2. Amazon RDS is a managed service and does not provide OS-level access. "

(Source: AWS Database Migration documentation, SQL Server Deployment Options)

HPC workloads require high-throughput, low-latency networking, especially for tightly-coupled applications like weather modeling, genomics, or real-time rendering.

A cluster placement group places instances in the same Availability Zone and on physically connected hardware, reducing network latency and increasing throughput.

Elastic Fabric Adapter (EFA) is a network device for EC2 instances that enables low-latency, high-throughput networking using OS-bypass technology, ideal for tightly-coupled HPC applications.

Each instance can support single-flow 10 Gbps bandwidth using EFA, and collectively, the cluster can achieve up to 100 Gbps aggregate throughput when properly configured.

This solution supports the Performance Efficiency and Resilience design principles and is a standard AWS-recommended pattern for HPC.

🔗 References:

EC2 Placement Groups

Elastic Fabric Adapter Overview

Best Practices for HPC on AWS

Aurora Global Database is designed for low-latency cross-Region reads and disaster recovery for relational data.

Amazon S3 Cross-Region Replication (CRR) automatically replicates unstructured data to another Region, ensuring high availability and resilience.

“Aurora Global Database replicates your data with typical latency of less than 1 second to secondary AWS Regions.”

“Amazon S3 Cross-Region Replication automatically replicates every object uploaded to your bucket to a destination bucket in another AWS Region.”

— Aurora Global Database

— S3 Cross-Region Replication

This combination meets the multi-Region, high availability, fault-tolerant requirement for both relational and unstructured data.

To provide unique, secure URLs efficiently:

A: Create a wildcard custom domain in Route 53 as an alias for the API Gateway endpoint.

D: Request a wildcard certificate in ACM in the same Region as API Gateway (certificates must be in the same Region as the API).

F: Create a custom domain name in API Gateway and attach the certificate.

“You can configure a custom domain name for your API Gateway API. To use a wildcard certificate, request it from ACM in the same Region as your API.”

— API Gateway Custom Domain Names

This combination provides secure wildcard URLs without creating separate endpoints or hosted zones per user.

Application Load Balancer (ALB) supports HTTP/HTTPS layer 7 routing, including header-based routing, path-based routing, and host-based routing.

AWS WAF is designed to provide rules-based filtering (block, allow, count) of HTTP(S) requests to protect applications from common exploits and malicious traffic.

ALB integrates directly with AWS WAF, so you can attach a web ACL with custom rules defined by the security team to block specific patterns while still using header-based routing.

Why the others are not correct:

A: Mutual TLS adds client certificate authentication but does not provide rules-based blocking or WAF-style inspection.

C: AWS Config is for configuration compliance and auditing, not request filtering.

D: NLB operates at layer 4 (TCP/UDP); it does not support HTTP header-based routing.

The correct answer is B because the company wants high availability , minimum downtime , minimum data loss , and the least operational effort . For the application tier, configuring the Auto Scaling group to span multiple Availability Zones increases resilience by ensuring that the loss of one Availability Zone does not make the application unavailable. Since the application is already behind an Application Load Balancer, traffic can continue to be routed to healthy instances in other Availability Zones.

For the database tier, the single-AZ Aurora PostgreSQL deployment represents a single point of failure. Configuring the database for Multi-AZ improves availability and durability by maintaining a synchronized standby in another Availability Zone and supporting failover with minimal disruption. This approach is aligned with AWS best practices for relational database high availability.

Using Amazon RDS Proxy further improves availability at the application layer by managing database connections efficiently and helping applications reconnect more quickly during failover events. This reduces the operational complexity of handling transient database interruptions and can improve application resilience.

Option A introduces multi-Region complexity, which is not required to meet the stated need and creates more operational overhead. Option C does not provide high availability because snapshots are a backup and restore mechanism, not an automatic failover solution, and hourly snapshots can result in significant data loss. Option D is unnecessarily complex and changes the application data flow in a way that is not needed.

The simplest and most AWS-aligned solution is to make both the compute and database layers highly available across multiple Availability Zones . That provides resilience with the least operational burden.

The question asks for the most cost savings while not affecting application performance, and it explicitly calls out both compute costs and storage costs increasing. The best answer is the option that optimizes both cost drivers without reducing capacity needed for peak performance. Option D accomplishes this by combining two well-established cost optimization mechanisms: a Compute Savings Plan for baseline compute usage and S3 Lifecycle policies for lower-cost storage of older receipt images.

A Compute Savings Plan is best applied to the steady, always-needed portion of compute capacity. In an Auto Scaling group, there is typically a predictable minimum footprint that runs continuously. Purchasing a Savings Plan for that baseline delivers substantial discounts compared with On-Demand pricing while keeping performance unchanged. For traffic spikes, continuing to use On-Demand Instances is operationally simple and preserves scaling behavior and customer experience. This avoids the risk that reducing minimum capacity could introduce slower scale-out or insufficient resources during sudden load.

On the storage side, raw receipt images are stored in Amazon S3, and many applications access the newest objects most frequently. Using S3 Lifecycle policies to transition objects after 30 days to lower-cost tiers (such as infrequent access or archival tiers as appropriate for retrieval needs) reduces storage spend without changing how new uploads are handled or processed. It also keeps the application fast for recent receipts, where performance typically matters most.

Options A and B move storage to EFS, which is generally more expensive than S3 for object storage patterns and does not align with “stored as objects.” Option C reduces the maximum Auto Scaling capacity, which can directly harm performance during demand surges. Therefore, D provides the largest cost reduction while preserving performance and scaling characteristics.

To analyze the performance of the web application with granularity of no more than 2 minutes, enablingdetailed monitoringon EC2 instances is the best solution. By default, CloudWatch provides metrics at a 5-minute interval. Enabling detailed monitoring allows you to collect metrics at 1-minute intervals, which will give you the level of granularity you need to analyze performance during peak traffic.

Amazon CloudWatch metrics can then be used to analyze CPU utilization, memory usage, disk I/O, and network throughput, among other performance-related metrics, at the desired granularity.

Option A: Sending CloudWatch logs to Redshift for analysis is unnecessary and overcomplicated for simple performance analysis, which can be done using CloudWatch metrics alone.

Option C: Fetching EC2 logs via Lambda adds complexity, and CloudWatch metrics already provide the required data for performance analysis.

Option D: Sending logs to S3 and using Redshift for analysis is also more complex than necessary for simple performance monitoring.

AWS References:

Monitoring Amazon EC2 with CloudWatch

Amazon CloudWatch Detailed Monitoring

Service control policies (SCPs) in AWS Organizations apply to the accounts or OUs to which they are attached:

To restrict only nonproduction accounts, you can:

Attach the SCP directly to those specific member accounts (Option B), or

Create a dedicated OU for the nonproduction accounts and attach the SCP to that OU (Option E).

Both methods ensure that the deny policy affects only the nonproduction accounts and does not impact the production account.

Why the others are incorrect:

A: Attaching the SCP to the root OU would apply the deny to all accounts, including production, which does not meet the requirement.

C: SCPs attached to the management account only affect that account, not all member accounts.

D: Creating an OU for the production account and attaching the deny SCP there would block the prohibited instance types in production, which is the opposite of what is required.

Amazon SQS FIFO queues guarantee the order of message delivery and ensure that each message is delivered exactly once. Paired with AWS Lambda, this creates a scalable, fault-tolerant architecture that processes each order in order and prevents duplicates, which is critical for ecommerce workflows.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To achieve resilience across multiple Availability Zones, the architecture should use services that natively provide Multi-AZ durability and failover with minimal manual intervention. For static website content, Amazon S3 is the natural choice because it stores objects durably and is designed for high availability; it also integrates well with common web delivery patterns. For the database, the requirement is explicitly Microsoft SQL Server and resilience across AZs.

An Amazon RDS for SQL Server Multi-AZ deployment (Option B) is designed to provide high availability by maintaining a standby replica in a different Availability Zone and performing automated failover in certain failure scenarios. This meets the Multi-AZ resiliency requirement while reducing operational overhead compared to self-managed database clustering on EC2.

Option A uses RDS Custom for SQL Server, which is intended for scenarios where you need OS-level and database-level access/customization. That typically increases operational responsibility and is not the simplest “resilient Multi-AZ” answer unless the scenario demands deep customization (it does not here). Options C and D propose using EBS Multi-Attach for static content, which is not a good fit for static website assets and adds complexity; Multi-Attach is limited and does not replace object storage semantics. Option D also adds substantial operational overhead by running and managing SQL Server across EC2 instances in multiple AZs, including patching, backups, and HA configuration.

Therefore, B best meets all requirements: S3 for static object content and RDS for SQL Server Multi-AZ for resilient, managed database high availability across Availability Zones.

Instances in a private subnet cannot directly reach the internet because they do not have public IP addresses and the private subnet route table typically does not send 0.0.0.0/0 traffic to an internet gateway. However, these instances still need outbound-only internet access to download patches and updates while remaining inaccessible from the internet. The standard AWS design to achieve this is a NAT gateway deployed in a public subnet.

Option C is required because a NAT gateway must reside in a public subnet that has a route to the internet gateway. This allows the NAT gateway to forward outbound traffic from private instances to the internet and return responses, without allowing inbound connections initiated from the internet to those instances.

Option A is required because a NAT gateway uses an Elastic IP address to represent its public-facing identity on the internet. Without an Elastic IP, the NAT gateway cannot communicate with internet endpoints. The Elastic IP is associated with the NAT gateway, not with the internet gateway.

Option B is required because the private subnet needs a route for 0.0.0.0/0 (default route) that targets the NAT gateway. This ensures that outbound internet-bound traffic from the private instances is sent to the NAT gateway rather than being dropped.

Option D is incorrect because a NAT gateway in a private subnet would not have a working route to the internet gateway and would not provide internet egress. Option E is incorrect because the public subnet’s default route should point to the internet gateway, not to the NAT gateway. Option F is incorrect because you do not associate Elastic IPs with an internet gateway.

Therefore, A, B, and C correctly implement private subnet outbound internet access while keeping the instances unreachable from the internet.

Since the workload is interruptible and can resume after restarts, Amazon EC2 Spot Instances are the most cost-effective option, offering savings of up to 90% compared to On-Demand. Running the batch workload on AWS Batch with Spot Instances allows automatic job queue management, interruption handling, and scheduling. Option A and C reduce cost but still rely on reserved or committed pricing for On-Demand capacity. Option B (Capacity Reservations) increases cost instead of reducing it. Therefore, the most cost-optimized solution is D — AWS Batch with EC2 Spot Instances.

The performance issue occurs because reporting queries compete with production traffic on the same primary database instance. The best-practice AWS solution is to offload read-heavy workloads to a separate database endpoint.

Option C adds an Amazon RDS read replica, which asynchronously replicates data from the primary instance. By redirecting reporting queries to the replica endpoint, the primary database can focus on transactional workloads, significantly improving application performance and customer experience.

Read replicas are specifically designed for this use case: scaling read capacity and isolating reporting or analytics queries. This solution requires minimal changes to the reporting job (endpoint update only) and avoids overprovisioning the primary database.

Option A (RDS Proxy) improves connection management but does not reduce query load or isolate reporting traffic. Option B is invalid because Multi-AZ does not scale reads and is not configurable across three AZs for a single instance. Option D increases instance size but does not address the underlying contention between workloads and increases cost unnecessarily.

Therefore, C is the most efficient and scalable solution to minimize reporting impact while maintaining high performance and availability.

Amazon RDS read replicas provide a way to offload read traffic from the primary database, allowing read-intensive applications to query the replica without impacting the performance of the production (write) database. This is especially effective for workloads that involve frequently changing data but do not benefit from caching, since queries are rarely repeated.

Reference Extract from AWS Documentation / Study Guide:

" Read replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. "

Source: AWS Certified Solutions Architect – Official Study Guide, RDS Read Replica section.

Amazon EMR allows the creation of security configurations to specify settings for encrypting data at rest, data in transit, or both. These configurations can be applied to clusters to ensure that data stored in Amazon S3, local disks, and data moving between nodes is encrypted.

By creating and applying an EMR security configuration, the company can ensure that all data processing complies with encryption requirements for sensitive patient data.

AWS Snowball Edge is specifically designed for use cases that involve limited or unreliable network connectivity. It enables data transfer and local compute processing at edge locations.

It comes in two options: Snowball Edge Storage Optimized and Snowball Edge Compute Optimized.

The Compute Optimized model allows the disaster response team to both store images locally and process data on the device using Amazon EC2-compatible compute resources.

This removes the need for constant network connectivity. After processing, the device can be shipped back to AWS, where data is uploaded to S3.

Other options fail due to:

SQS not being suitable for large binary image data (Option B)

Kinesis Data Firehose needing steady connectivity (Option C)

Storage Gateway is for hybrid cloud environments with ongoing connection, not rugged field use (Option D)

🔗 References:

AWS Snowball Edge Overview

Snowball Edge Use Cases

The least operational overhead approach is to use AWS Directory Service with AWS Managed Microsoft AD and establish a trust relationship with the existing on-premises Microsoft Active Directory. This pattern lets employees continue using their existing corporate credentials while AWS operates the directory infrastructure (patching, monitoring, availability, and domain controller management), reducing the burden compared to building and maintaining custom federation components. With a trust in place, identities and group memberships from the on-premises directory can be used for authentication and authorization workflows in AWS.

To provide role-based access to AWS resources and the AWS Management Console, users should assume IAM roles that grant permissions based on job function. IAM roles with appropriate trust policies enable temporary credentials and least-privilege access without creating long-lived IAM users for every employee. This aligns with AWS best practices of centralized identity management and using roles for access control.

Option B is not a standard direct integration pattern: IAM does not “LDAP bind” directly to on-premises AD for console access. Option C can work (custom identity broker + STS) but increases operational overhead because the company must build, secure, operate, and maintain the broker, including availability, updates, and incident response. Option D is not the typical solution for employee console federation from AD; Amazon Cognito is primarily aimed at customer identity and application sign-in, not as the primary mechanism for workforce console access to AWS accounts.

Therefore, A provides the required federation with the smallest operational footprint while supporting role-based access control.

Amazon EFS integrates natively with Lambda, supports shared, persistent storage, and allows independent updates without redeploying functions. EBS and /tmp are not supported for this use case; FSx is unnecessary.

The issue described is a classic case of read-heavy reporting workloads interfering with transactional application traffic. Although the RDS instance is configured for Multi-AZ, Multi-AZ deployments are designed for high availability and failover, not for scaling read performance. All reads and writes still occur on the primary instance, which explains why reporting queries negatively affect customer-facing performance.

Option C, adding an Amazon RDS read replica, is the most effective and AWS-recommended solution. Read replicas asynchronously replicate data from the primary instance and provide a separate endpoint for read-only workloads such as reporting, analytics, and dashboards. By redirecting the finance team’s reporting queries to the replica endpoint, the primary database is freed to handle transactional workloads, significantly improving overall application performance.

Option A (RDS Proxy) helps manage database connections efficiently, especially for bursty workloads, but it does not offload query execution or isolate heavy read traffic. Option B is invalid because RDS Multi-AZ does not support spreading a single DB instance across three AZs, and even if it did, it would not reduce read contention. Option D increases instance resources but does not solve the root cause; reporting queries would still compete with production traffic and would also increase cost unnecessarily.

Therefore, C is the optimal solution because it isolates reporting workloads, scales read capacity, improves application responsiveness, and aligns with AWS best practices for high-performance database architectures.

The problem is scale-out latency: when traffic spikes, new instances take time to launch, initialize, and pass health checks. This can temporarily degrade user experience even if Auto Scaling eventually adds enough capacity. The goal is to improve responsiveness to sudden spikes cost-effectively.

A key Auto Scaling feature for this situation is an EC2 Auto Scaling warm pool. A warm pool maintains a set of pre-initialized instances (stopped or running, depending on configuration) that Auto Scaling can rapidly transition into service. This reduces the time needed for instance launch and initialization, enabling faster scale-out during unexpected surges.

Option B is best because it supports the application’s peak needs by ensuring Auto Scaling can scale up to the required maximum capacity and keeps warm capacity ready. While a warm pool has some cost (especially if instances are kept running), it is typically more cost-effective than permanently running peak capacity all the time. It improves user experience by minimizing cold start delays during spikes.

Option A is counterproductive: lowering minimum capacity increases the likelihood of scale-out delays. Option C is illogical as written (“increase maximum to meet normal demand”); maximum should reflect peak potential, and a warm pool without sufficient max headroom will not solve the spike problem. Option D uses scheduled scaling, but the spike is unexpected, and increasing instance sizes increases cost and does not address launch delay; it may also reduce horizontal scaling flexibility.

Therefore, B is the most cost-effective way to improve scale-out performance and protect user experience during unexpected bursts.

Amazon FSx for ONTAP supports both NFS and SMB protocols and includes automated tiering between SSD and capacity pool storage, optimizing cost and performance. It is ideal for mixed operating systems and varied access patterns with minimal administrative overhead.

According to the AWS Well-Architected Framework – Security Pillar and the AWS Identity and Access Management (IAM) User Guide, the root user account in an AWS account is extremely powerful and should be protected with strict security measures.

From AWS documentation:

“We recommend that you not use the root user for everyday tasks, even administrative ones. Instead, create IAM users and grant them only the permissions they need. To help protect your AWS account, enable multi-factor authentication (MFA) for the root user.”

(Source: AWS Identity and Access Management User Guide – Securing the Root User)

The correct and recommended action is to create IAM users with specific permissions for daily operations and enable MFA on the root user to provide an additional layer of security. The root user cannot be disabled, so Option A is technically incorrect. AWS also explicitly advises against using root access keys (Option C) or sharing root credentials (Option D), both of which violate the principle of least privilege.

Best practices summarized from AWS official documentation:

Do not use root user for routine tasks

Enable MFA for root user immediately

Create individual IAM users and assign least privilege

Avoid creating or using root user access keys

These recommendations are foundational to securing any new AWS account and are consistently emphasized in the AWS Certified Solutions Architect – Official Study Guide and the AWS Security Best Practices whitepaper.

AWSSecrets Manageris the best solution for securely storing and managing sensitive information, such as usernames and passwords. Secrets Manager provides automatic rotation, fine-grained access control, and encryption of credentials. It is designed to integrate easily with other AWS services, such as CloudFormation, to automate the retrieval of secrets via theBatchGetSecretValue API.

Secrets Manager has a lower operational overhead than manually managing credentials, and it offers features like automatic secret rotation that reduce the need for human intervention.

Option A and C (Parameter Store): While Systems Manager Parameter Store can store secrets, Secrets Manager provides more specialized capabilities for securely managing and rotating credentials with less operational overhead.

Option B and C (AWS Batch): Introducing AWS Batch unnecessarily complicates the solution. Secrets Manager already provides simple API calls for retrieving secrets without needing an additional service.

AWS References:

AWS Secrets Manager

Secrets Manager with CloudFormation

The requirement is to restrict actions by Region to prevent accidental cross-Region operations that could violate data residency rules. The most direct and flexible way to enforce Region-based restrictions in AWS is to use IAM condition keys, specifically aws:RequestedRegion, in identity-based policies (and commonly in permission boundaries or SCPs when managing an organization).

Option B is correct because it applies Region constraints at authorization time. By adding conditions that allow actions only when aws:RequestedRegion matches an approved list (or denies when it matches disallowed Regions), the company can prevent users and roles from creating, modifying, or accessing resources in the wrong Region. This approach is broad and can be applied across many services, not just EC2, making it suitable for enforcing data residency boundaries across a multi-Region footprint.

Option A is too narrow because it restricts only ec2:RunInstances. Data residency concerns typically apply to many services (S3, RDS, DynamoDB, KMS, etc.), and limiting only EC2 does not prevent accidental data operations elsewhere. Option C controls where requests come from (source IP), not which Region is targeted. Option D (AWS Config) is detective, not preventative; it can alert after noncompliant actions occur, which does not meet the requirement to prevent accidental operations.

Therefore, B best meets the requirement by enforcing Region-level guardrails through IAM authorization conditions, helping ensure workloads remain within approved geographic boundaries.

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

Amazon EFS is a fully managed, scalable file storage service that can be accessed concurrentlyby thousands of EC2 instances. It supports General Purpose performance mode for latency-sensitive use cases and provides high availability and durability across multiple Availability Zones with minimal changes to application code.

This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

Amazon FSx for Lustre is the ideal solution for high-performance computing (HPC) workloads that require parallel access to a shared file system with low latency. FSx for Lustre is designed specifically to meet the needs of such workloads, offering sub-millisecond latencies, which makes it well-suited for the 1 ms latency requirement mentioned in the question.

Here is why FSx for Lustre is the best fit:

Parallel File System: FSx for Lustre is a parallel file system that can scale across hundreds of Amazon EC2 instances, providing high throughput and low-latency access to data. It is optimized for processing large datasets in parallel, which is essential for HPC workloads.

Low Latency: FSx for Lustre is capable of providing access latencies well within 1 ms, making it ideal for performance-sensitive workloads like HPC.

Seamless Integration with Amazon S3: FSx for Lustre can be linked to an Amazon S3 bucket. This integration allows data to be imported from S3 into FSx for Lustre before the workload begins and exported back to S3 after processing. This feature is crucial for manual postprocessing because it enables engineers to access the dataset in S3 after processing.

Performance: FSx for Lustre is built for workloads that require high performance, such as machine learning, analytics, media processing, and financial simulations, which are typical for HPC environments.

In contrast:

Amazon EFS (Option A): While EFS provides shared file storage and scales across multiple EC2 instances, it does not offer the same level of performance or sub-millisecond latencies as FSx for Lustre. EFS is more suited for general-purpose workloads, not high-performance computing.

Mounting S3 as a file system (Option B and D): S3 is object storage, not a file system designed for low-latency access and parallel processing. Mounting S3 buckets directly or using AWS Resource Access Manager to share the bucket would not meet the low-latency (1 ms) or performance requirements needed for HPC workloads.

Therefore, Amazon FSx for Lustre (Option C) is the most appropriate and verified solution for this scenario.

AWS References:

Amazon FSx for Lustre

Best Practices for High Performance Computing (HPC)

Amazon FSx and Amazon S3 Integration

If the SQS visibility timeout is set shorter than the time it takes for the application to process and delete the message, the message becomes visible to other consumers and can be processed again, resulting in duplicate processing. This is a common cause of duplicate messages when using SQS.

Reference Extract from AWS Documentation / Study Guide:

" If the visibility timeout for a message is set shorter than the time it takes to process the message, the message becomes visible again and can be received and processed again, resulting in duplicate processing. "

Source: AWS Certified Solutions Architect – Official Study Guide, SQS and Messaging section.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To capture traffic metadata to and from network interfaces in a VPC, the correct telemetry source is VPC Flow Logs. Flow Logs can publish records to destinations such as CloudWatch Logs, which is a natural first landing zone for near-real-time log ingestion and centralized retention/permissions. The next requirement is to stream that data to Amazon OpenSearch Service for analysis with minimal operational overhead.

Amazon Data Firehose is purpose-built for fully managed delivery of streaming data to destinations including OpenSearch. Firehose handles buffering, batching, retry behavior, and optional transformations, and it minimizes the need to build and operate custom consumers. Therefore, sending VPC Flow Logs to CloudWatch Logs and then using Firehose to deliver to OpenSearch is an operationally efficient and scalable pattern.

Option A uses Kinesis Data Streams, which would require building/operating consumers (or additional integration components) to read from the stream and load into OpenSearch, adding operational complexity compared with Firehose’s managed delivery. Options C and D are incorrect because CloudTrail records API activity and governance events, not VPC network flow records; VPC Flow Logs do not publish to CloudTrail trails.

Thus, B best meets the requirement: Flow Logs capture the network interface traffic metadata; CloudWatch Logs provides near-real-time log collection; and Firehose provides managed streaming delivery into OpenSearch for indexing and analytics with minimal operational effort.

To handle unpredictable traffic surges and improve scalability, Auto Scaling is essential. Creating an AMI and deploying it into an Auto Scaling group behind an Application Load Balancer (ALB) allows AWS to automatically scale the number of EC2 instances based on demand.

This architecture improves availability and responsiveness by distributing traffic and launching instances when needed. Option A satisfies the need for high scalability and resilience. Other options either lack Auto Scaling or are more complex without added benefit in this context.

AWS Step Functions provides a low-code, fully managed workflow service with a visual interface to orchestrate AWS Glue jobs in sequence. Step Functions integrates natively with AWS Glue and can be triggered by Amazon EventBridge based on events or schedules.

AWS Documentation Extract:

“AWS Step Functions makes it easy to coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Step Functions provides visual workflows and integrates with AWS Glue for ETL orchestration.”

(Source: AWS Step Functions documentation)

A: Manual scripting and dashboards do not provide a low-code or integrated visual workflow.

C: QuickSight is for BI, not workflow visualization.

D: ECS adds unnecessary complexity.

Amazon SQS FIFO queuesensure that orders are processed in the exact order received and maintain message deduplication.

AWS Lambdascales automatically, handling bursts and maintaining high availability in a cost-effective manner.

Option A and D:Amazon SNS does not guarantee ordered processing.

Option C:Standard SQS queues do not guarantee order.

AWS Documentation References:

Amazon SQS FIFO Queues

To improve read performance for a MySQL-based RDS database under load, you can:

Use Read Replicas: Amazon RDS supports MySQL read replicas, which help offload read operations from the primary database, improving performance during high traffic.

Use ElastiCache (Memcached): Adding an in-memory cache layer using Amazon ElastiCache reduces the load on the RDS instance by serving frequent queries directly from memory, especially when data is not updated often.

Option A (AWS WAF) is for web security, not database performance. Option D relates to storage optimization, not query latency. Option E would require re-architecting from relational to NoSQL, which is unnecessary and disruptive.

Amazon CloudFront is a highly cost-effective CDN that caches content like images and videos at edge locations globally. This reduces latency and the load on the origin S3 bucket. It is ideal for static content that is accessed by many users.

Amazon EFS provides a fully managed, highly available, and shared file system that can be mounted by instances across multiple Availability Zones. This ensures consistency of files between EC2 instances and avoids replication issues. EBS volumes, in contrast, are AZ-scoped and not designed for multi-instance sharing. Options A and B rely on custom replication or manual file handling, which increases operational overhead and risks inconsistencies. Option D does not solve the shared access and consistency requirement. By migrating storage to EFS, both EC2 instances will read and write to the same storage system, ensuring that users always access the latest files without 404 errors.

To track costs by department, you must activate the custom department tag as a cost allocation tag in the AWS Organizations management account. Once activated, Cost Explorer and cost and usage reports can group costs by this tag for all linked accounts. The most operationally efficient way is to activate only the relevant department tag and create a cost and usage report grouped by that tag.

AWS Documentation Extract:

“To use a tag for cost allocation, you must activate it in the AWS Billing and Cost Management console. After activation, you can use the tag to group costs in Cost Explorer and reports.”

(Source: AWS Cost Management documentation)

A, E: aws:createdBy is not related to department cost grouping and is unnecessary.

B: Applying extra filters is optional; D is more direct and operationally efficient.

Option Aintroduces complexity and does not scale well.

Option Bcreates a read replica, offloading read traffic from the primary RDS instance without impacting the critical application.

Option Cis manual and inefficient.

Option Dmight help for caching frequently queried data but is not ideal for ad-hoc reporting.Therefore, Option B is the best choice.

This solution directly addresses the scalability and high availability requirements with minimal downtime.

Additional Reader Instances: Adding more reader instances to the Aurora cluster will distribute the read load, improving the performance of the application under heavy read traffic. Aurora reader instances automatically replicate the data from the writer instance, enabling you to scale out read operations.

Amazon RDS Proxy: RDS Proxy improves database availability by managing database connections more efficiently and providing a connection pool. This reduces the overhead on the Aurora cluster during peak loads, further enhancing performance and availability without requiring changes to the application code.

Why Not Other Options?:

Option A (EventBridge and Lambda): This doesn’t directly address the performance and availability issues. Logging state changes and adding reader nodes on failure events doesn’t provide proactive scalability.

Option B (Zero-Downtime Restart and Activity Streams): Zero-Downtime Restart (ZDR) is useful for minimizing downtime during maintenance but doesn’t directly improve scalability. Database Activity Streams are more for security monitoring than for performance enhancement.

Option D (ElastiCache for Redis): While adding a caching layer can help with read performance, it introduces complexity and may not be necessary if additional reader instances can handle the load.

AWS References:

Amazon Aurora Scaling- Information on scaling Aurora clusters with reader instances.

Amazon RDS Proxy- Details on how RDS Proxy can improve database performance and availability.

AWS Storage Gateway file gateway presents a file interface backed by Amazon S3 and supports NFS. This allows local applications to access data via NFS while also enabling cloud applications to use the data stored in S3 for analytics and processing, fulfilling both hybrid and cloud-native requirements.

Reference Extract:

" AWS Storage Gateway file gateway offers NFS and SMB access to data stored in Amazon S3, supporting hybrid workloads for local and cloud access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Hybrid and Storage Gateway section.

Amazon S3 is the most cost-effective option for archiving data. Using AWS DMS to migrate to S3 in Apache Parquet format provides an optimized columnar format for analytics. By storing in S3 Glacier Flexible Retrieval, costs are minimized while maintaining compliance with retention. When queries are required, Athena can run SQL queries directly on archived data in S3 without provisioning infrastructure. Options A and B rely on maintaining RDS or EC2 instances, which increases cost and operational overhead. Option C requires full restores to EC2 before running queries, which is slow and inefficient. Therefore, D provides the lowest operational overhead and direct query capability with Athena.

For cost-effectiveness and high availability in Amazon EMR workloads, the best approach is to configure atransient cluster(which runs for the duration of the job and then terminates) withOn-Demand Instancesfor the primary and core nodes, andSpot Instancesfor the task nodes. Here ' s why:

Primary and core nodes on On-Demand Instances: These nodes are critical because they manage the cluster and store data on HDFS. Running them on On-Demand Instances ensures stability and that no data is lost, as Spot Instances can be interrupted.

Task nodes on Spot Instances: Task nodes handle additional processing and can be used with Spot Instances to reduce costs. Spot Instances are much cheaper but can be interrupted, which is fine for non-critical tasks as the framework can handle retries.

Atransient clusteris more cost-effective than a long-running cluster for workloads that only run for 6 hours a day. Transient clusters automatically terminate after the workload completes, saving costs by not keeping the cluster running when it ' s not needed.

Option A: A long-running cluster may result in unnecessary costs when the cluster isn ' t being used.

Option C: Running core nodes on Spot Instances risks data loss if the Spot Instances are interrupted, violating the requirement for zero data loss.

Option D: Running both core and task nodes on Spot Instances is highly risky for data-critical workloads.

AWS References:

Amazon EMR Cluster Management

Using Spot Instances in EMR

Key Requirements:

Protect public endpoints (CloudFront distributions and ALBs) frommalicious attacks.

Centralizedmanagementacross multiple accounts in an organization.

Ability tomonitor security configurationseffectively.

Minimizeoperational overhead.

Analysis of Options

Option A:

AWS WAF:Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

AWS Firewall Manager:Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

AWS Config:Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.

Operational Overhead:Centralized management and automated monitoring reduce the operational burden.

Correct Approach:Meets all requirements with the least overhead.

Option B:

This approach involves applying WAF rules in each account manually.

While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

Incorrect Approach:Higher overhead compared to centralized management with AWS Firewall Manager.

Option C:

Similar to Option A but includesAmazon Inspector, which is not designed for monitoring WAF configurations.

AWS Security Hubis appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

Incorrect Approach:Adds unnecessary complexity and does not focus on monitoring WAF specifically.

Option D:

AWS Shield Advanced:Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

AWS Config:Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

Incorrect Approach:Does not address the need for WAF or centralized rule management.

Why Option A is Correct

Protection:

AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

Centralized Management:

AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

Monitoring:

AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

Operational Overhead:

Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

AWS Solution Architect References

AWS WAF Documentation

AWS Firewall Manager Documentation

AWS Config Best Practices

AWS Organizations Documentation

Amazon S3 is designed for durability, scalability, and millisecond access. For small monthly data volumes (300 MB), S3 Standard is cost-effective and provides immediate access. To meet 30-day retention, Lifecycle policies can automatically expire objects after the required time. For disaster recovery, S3 Cross-Region Replication (CRR) copies objects across Regions to a backup bucket, ensuring data resiliency. OpenSearch (A) is not needed because the requirement is storage and retrieval, not indexing. Aurora or RDS options (C, D) add unnecessary complexity and cost, as a relational database is not required for JSON storage and millisecond retrieval. Therefore, option B provides the simplest, most resilient, and cost-optimized solution.

Why Option B is Correct:

AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

Why Other Options Are Not Ideal:

Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

AWS References:

AWS WAF Geomatch:AWS Documentation - WAF Geomatch

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

" Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

AmazonSES (Simple Email Service)allows for the automatic ingestion of incoming emails. By setting up email receiving in SES and creating a rule set with a receipt rule, you can configure SES to invoke anAWS Lambda functionwhenever an email is received. The Lambda function can then process the email body and attachments, saving any attachments to an Amazon S3 bucket. This solution is highly scalable, cost-effective, and provides near real-time processing of emails with minimal operational overhead.

Option B (Content filtering): This only filters emails based on content and does not provide the functionality to save attachments to S3.

Option C (S3 Event Notifications): While SES can store emails in S3, SES with Lambda offers more flexibility for processing attachments in real-time.

Option D (EventBridge rule): EventBridge cannot directly listen for incoming emails, making this solution incorrect.

AWS References:

Receiving Email with Amazon SES

Invoking Lambda from SES

Lambda supports mounting an Amazon EFS file system inside your function to store larger dependencies beyond the 250 MB layer quota.

EFS automatically encrypts data in transit using TLS.

“You can configure your Lambda function to mount an Amazon EFS file system, enabling your function to access large amounts of data or large dependencies.”

“Amazon EFS automatically encrypts all data at rest and in transit.”

— Lambda with Amazon EFS

This is the least operational overhead approach.

Amazon GuardDuty includes RDS Protection that “monitors and profiles access to your Amazon Aurora and Amazon RDS databases” to detect threats such as suspicious login attempts, brute-force activity, and anomalous authentication patterns. GuardDuty can be enabled organization-wide in AWS Organizations with a delegated administrator to centralize findings for all member accounts, minimizing operational overhead. Findings include context like source IP, user, and DB instance, and integrate with Amazon EventBridge for alerting and automated response. SCPs (A) enforce or deny API permissions but do not provide detection/analytics. Exporting general logs (C) requires building and maintaining custom parsing/analytics pipelines. CloudTrail (D) records AWS control-plane API calls and does not log database-level login attempts. Therefore, enabling GuardDuty RDS Protection across the org provides the most operationally efficient, managed detection of abnormal failed and incomplete login attempts.

Amazon RDS Proxy is a fully managed database proxy for RDS that makes applications more scalable, more resilient to database failures, and more secure. RDS Proxy pools and shares database connections, allowing applications to open and close connections as needed without overwhelming the database. This is the recommended solution when the application cannot be modified to use connection pooling itself.

AWS Documentation Extract:

" Amazon RDS Proxy helps manage database connections to improve application scalability and performance. It pools connections and shares them among application clients, which can mitigate issues caused by opening and closing many database connections. "

(Source: Amazon RDS Proxy documentation)

A: Upgrading the instance does not solve connection inefficiency and can be cost-ineffective.

B: Increasing IOPS only helps if storage is a bottleneck, not if connections are the issue.

D: Multi-AZ improves availability, not connection management.

Use SQS FIFO to durably persist orders, guarantee order processing semantics, and decouple producers/consumers. FIFO queues provide “exactly-once processing” with message deduplication and “preserve message order.” Visibility timeouts and retries ensure messages are “processed eventually” without being lost; failed messages go to a DLQ for later reprocessing. This pattern aligns with Well-Architected reliability guidance to “queue work to protect against overload and failures” and to ensure “durable, idempotent processing” with retry and backoff. ALB/RDS Proxy/read replicas (A, B) improve availability/connection management but do not guarantee durable handoff or exactly-once processing. SNS (D) is pub/sub and does not provide FIFO semantics in this option, nor a DLQ per subscription for exactly-once. Therefore, frontends write orders to an SQS FIFO queue; backend workers in an Auto Scaling group consume, process idempotently, and use a DLQ for poison messages to meet “no lost orders,” “eventual processing,” and “exactly-once” requirements.

IAM Role: Attaching an IAM role to an EC2 instance profile is a secure way to manage permissions without embedding credentials.

AWS Secrets Manager: Grants controlled access to database credentials and automatically rotates secrets if configured.

Identity-Based Policy: Ensures the IAM role only has access to specific secrets, enhancing security.

AWS Secrets Manager Documentation

EMR runtime roles allow fine-grained permissions per job, letting each team access only the services they are authorized to use. This isolates IAM permissions per workload and avoids exposing instance-level credentials through IMDSv2. Runtime roles improve security posture in multi-tenant EMR environments.

AWS guidance for global, highly available, low-latency applications using a relational database recommends:

Amazon CloudFront with Amazon S3 for static content to cache data at edge locations globally and minimize latency for static assets.

A regional application tier deployed close to users using managed container services such as Amazon ECS on AWS Fargate, which removes the need to manage servers and scales automatically, reducing operational overhead.

A relational database tier using Amazon Aurora global database, which is purpose-built for globally distributed applications. Aurora global database provides a primary cluster in one Region with low-latency read replicas in secondary Regions and fast cross-Region replication, enabling low-latency reads and high availability for global users.

Option A uses only a single Region, which does not meet the “global users with low latency” requirement.

Option C uses RDS and DMS-based replication, which requires more management and does not provide Aurora’s integrated global database features.

Option D replaces the relational database with DynamoDB, which violates the requirement that the application interacts with a relational database.

Amazon Route 53 Multivalue Answer Routing: This routing policy allows Route 53 to return multiple values, such as IP addresses, in response to DNS queries. This can distribute traffic across multiple resources and includes health checks to ensure traffic is only routed to healthy instances.

Health Checks:

Configure health checks for each Region to monitor the health of the website instances.

Route 53 will only include healthy instances in the DNS responses, ensuring that traffic is not routed to an unhealthy Region.

Load Distribution and Disaster Recovery:

Multivalue answer routing helps balance the load between instances in different Regions.

If instances in one Region become unhealthy, Route 53 will route traffic to the healthy instances in the other Region.

Operational Simplicity: This solution does not require complex configurations or additional resources, making it a simple yet effective way to distribute traffic and ensure high availability.

Comprehensive and Detailed Explanation (paraphrased from AWS Solutions Architect guidance):

Amazon Route 53 latency-based routing is specifically designed to route users to the endpoint that provides the lowest latency, based on actual latency measurements between AWS Regions and users’ networks. This directly supports the goal of optimizing load times (performance).

For non-AWS endpoints (like an on-premises data center), Route 53 lets you create a latency routing record and associate it with the AWS Region that is closest to that endpoint. In this case, the on-premises data center is near us-west-1, so you associate that latency record with the us-west-1 Region.

Users for whom the eu-central-1 Region has lower latency will be routed to the AWS website in eu-central-1.

Users for whom the us-west-1–associated endpoint has lower latency will be routed to the on-premises website.

This matches AWS best practices for high-performance, low-latency architectures when you have multiple endpoints in different geographic locations, including a mix of AWS and on-premises resources.

Why the other options are not correct:

Option A (Failover routing):

Failover routing is designed for high availability and disaster recovery (active–passive), not for optimizing latency.

All traffic goes to the primary endpoint (eu-central-1) unless it is unhealthy. That does not choose the lowest-latency endpoint for each user, so it does not meet the “optimize load times as much as possible” requirement.

Option B (IP-based routing):

IP-based / geo-based policies are about directing users based on location information (IP/geo), not measured latency.

You would have to manually decide which IP ranges get which endpoint, which does not guarantee that each user goes to the lowest-latency endpoint. It’s less precise and less dynamic than latency-based routing.

Option D (Weighted routing):

Weighted routing splits traffic according to fixed weights (e.g., 50/50), regardless of user location or latency.

This is useful for testing, blue/green deployment, or gradual traffic shifting, but not for performance optimization per user.

Therefore, the only option that directly aligns with AWS guidance for performance optimization and latency-based traffic steering across Regions and on-premises endpoints is:

✅ C. Create a DNS record with a latency-based routing policy… associate the on-premises endpoint with us-west-1.

A spread placement group is designed to deploy each instance on distinct underlying hardware, reducing the risk of simultaneous failures. By spreading instances across multiple Availability Zones, you achieve high availability and fault tolerance, meeting the 99.99% uptime requirement. Spread placement groups are ideal for critical applications that require maximum resilience to single hardware failures. Neither cluster nor partition strategies offer the same guarantee of separation combined with cross-AZ distribution.

Reference Extract from AWS Documentation / Study Guide:

" Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other. Instances in a spread placement group are placed on distinct underlying hardware, and when deployed across multiple Availability Zones, provide high availability. "

Source: AWS Certified Solutions Architect – Official Study Guide, Compute and High Availability section; Amazon EC2 Placement Groups Documentation.

AWS KMS with SSE-KMS provides granular key management and auditability. All use of KMS keys is logged in AWS CloudTrail, which allows compliance teams to monitor encryption and decryption operations. A bucket policy can be configured to enforce uploads only with the designated KMS key, ensuring that users cannot bypass encryption or change methods. Option A (SSE-S3 with bucket policy) enforces encryption but does not provide the same level of control or auditable key usage. Option C (client-side encryption) increases complexity and key management burden. Option D prevents bucket setting changes but does not prevent unencrypted uploads. Therefore, B ensures the most granular control, auditability, and compliance with financial data requirements.

BothAmazon KinesisandSQS FIFOqueues ensure the sequential processing of messages. By using the payment ID as the partition key in Kinesis or as the message group in the SQS FIFOqueue, messages are processed in order. Both solutions also allow for long-term retention (up to 10 days) of messages, making them suitable for this payment processing use case.

Option A (DynamoDB): DynamoDB does not guarantee message ordering for real-time processing.

Option C (ElastiCache): ElastiCache is for caching, not suitable for sequential message processing.

Option D (Standard SQS queue): A standard SQS queue does not guarantee ordering of messages.

AWS References:

Amazon Kinesis

Amazon SQS FIFO Queues

AWS Direct Connect: Provides a dedicated network connection from your on-premises data center to AWS, ensuring low latency and consistent network performance.

Direct Connect Gateway Association:

Direct Connect Gateway: Acts as a global network transit hub to connect VPCs across different AWS regions.

Association with Transit Gateway: Enables communication between on-premises data centers and multiple VPCs connected to the transit gateway.

Transit Virtual Interface (VIF):

Create Transit VIF: To connect Direct Connect with a transit gateway.

Setup Steps:

Establish a Direct Connect connection.

Create a transit VIF to the Direct Connect gateway.

Associate the Direct Connect gateway with the transit gateway attached to the VPCs.

Cost Efficiency: This combination avoids the recurring costs and potential performance variability of VPN connections, providing a robust, low-latency hybrid network solution.

For bursty and seasonal workloads, AWS recommends serverless architectures using Amazon API Gateway + AWS Lambda:

API Gateway exposes a fully managed, scalable API endpoint.

Lambda provides automatic scaling based on request volume, with no need to provision or manage servers.

This is ideal for workloads with variable or seasonal demand, such as end-of-year tax computation bursts.

This combination minimizes operational overhead (no OS patching, no capacity planning) while scaling seamlessly to meet peak demand.

Options A, C, and D rely on EC2 instances. They require capacity planning, scaling configuration, and ongoing management. They do not scale as effortlessly as Lambda for unpredictable or highly seasonal workloads.

AWS Storage Gateway Tape Gateway provides a seamless way to migrate backup data to AWS without requiring changes to the backup software. Migrating to S3 Glacier Deep Archive ensures long-term, cost-effective storage for data that rarely needs retrieval.

Option A:S3 Standard-IA is more expensive than Glacier for long-term storage.

Option B and D:Glacier Flexible Retrieval is costlier than Glacier Deep Archive for archival use cases with low retrieval frequency.

AWS Documentation References:

AWS Storage Gateway Tape Gateway

S3 Glacier Storage Classes

The correct answer is B because the application is Microsoft Windows-based , requires shared storage , must use the SMB protocol , and needs to be resilient . Amazon FSx for Windows File Server is the AWS managed file storage service built specifically for Windows workloads. It provides native SMB access , integration with Windows environments, and managed shared file storage for multiple application servers.

A Multi-AZ deployment is the key feature that satisfies the resilience requirement. Multi-AZ FSx for Windows File Server stores data synchronously across Availability Zones and can automatically fail over to a standby file server in another Availability Zone if the primary becomes unavailable. This ensures high availability for shared file access and reduces the risk of application disruption.

Option A is incorrect because Amazon S3 is object storage and does not natively provide SMB shared file semantics in the way required by Windows applications. Option C is incorrect because Amazon EBS volumes are block storage volumes that are generally attached to a single instance and are not the standard solution for resilient multi-instance shared SMB storage. Option D is incorrect because Amazon FSx File Gateway is used to provide on-premises access to Amazon FSx file systems and is not the primary shared storage service required for this cloud-native application design.

AWS storage guidance recommends Amazon FSx for Windows File Server for Windows applications that need managed file shares over SMB. When resilience is required, a Multi-AZ deployment is the most appropriate architecture.

Partition Key Issue:

Using " service name " as the partition key results in uneven data distribution. Some shards may become hot due to excessive logs from certain services, leading to throttling errors.

Changing the partition key to " creation timestamp " ensures a more even distribution of records across shards.

Incorrect Options Analysis:

Option A: On-demand capacity mode eliminates throughput management but is more expensive and does not address the root cause.

Option B: Adding more shards does not solve the issue if the partition key still creates hot shards.

Option D: Using separate streams increases complexity and is unnecessary.

Amazon SQS is the AWS-recommended service for handling decoupled, scalable, ordered, durable message ingestion with potentially large workloads. It supports payloads up to 256 KB directly and up to several MB using S3-backed large-payload extensions.

Lambda functions can process messages from SQS with automatic scaling. ECS with the Fargate launch type provides a serverless container platform for the frontend, scaling based on demand without managing servers.

SNS (Options B and D) is not a queue, does not provide durable message buffering, and is not appropriate for variable, bursty workloads that may exceed backend throughput. Lambda@Edge (Options A and D) is unsuitable for backend order processing because it runs at CloudFront edge locations with strict limitations.

AWS Config has a built-in managed rule (access-keys-rotated) that evaluates IAM access key age. Config rules detect non-compliant resources automatically, without building custom logic.

After Config identifies old keys, EventBridge can trigger an AWS Lambda function to disable and delete the keys. Lambda provides a fully managed compute layer requiring no servers or batch environments.

Using AWS Batch (Options A, B, and D) adds unnecessary operational overhead for a simple automation task.

=====================================================

Amazon EFS requires a mount target in each Availability Zone where EC2 instances access the file system. This is because each mount target provides an elastic network interface in the subnet and AZ, reducing network latency by allowing EC2 instances to communicate locally with the EFS mount target. Creating a mount target in each AZ optimizes file system access performance and availability. Instances mount the EFS file system via the mount target in their respective AZ, which provides the lowest possible latency and avoids cross-AZ traffic.

Option A, with only a single mount target in the VPC, will cause cross-AZ traffic for instances in other AZs, increasing latency and potentially incurring data transfer costs. Option B is incomplete and introduces complexity with sharing directories across instances. Option C is invalid because mount targets are per AZ and per subnet, not per instance.

AWS documentation states that Amazon Macie is the managed service designed to automatically identify and classify sensitive data stored in Amazon S3, including PII and healthcare-related identifiers.

Storing logs in Amazon S3 provides scalable, durable storage, and Amazon Athena can directly query JSON data stored in S3 using SQL.

Amazon Inspector (Option D) is for vulnerability scanning and does not identify sensitive data. DynamoDB with KMS (Option C) cannot detect sensitive information. EBS (Option B) requires custom tooling and does not support serverless SQL querying.

=====================================================

AWS provides EBS Block Public Access at the organization level in AWS Organizations. When enabled, it prevents any EBS snapshot—across all member accounts—from being shared publicly.

This is an organization-wide control implemented centrally, with no need for per-account configuration, monitoring rules, or custom IAM policy enforcement.

AWS Config (Option A) would only detect issues after they occur. IAM restrictions (Option C) are less effective because snapshot permission changes can occur through multiple paths. CloudTrail (Option D) only logs events and does not block public sharing.

=====================================================

A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

AWS Documentation Extract:

" A gateway VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring a NAT gateway or internet gateway. "

(Source: Amazon VPC documentation, Gateway Endpoints)

A: NAT instances still incur operational overhead and costs.

B: Internet gateway exposes resources and does not provide private access.

D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

This question centers on improving scalability and global access performance.

Auto Scaling groups enable EC2 instances to scale dynamically in response to demand, ensuring availability during peak hours without manual intervention. Amazon RDS read replicas offload read traffic, improving read throughput and reducing latency on the primary database instance. Deploying Amazon CloudFront with S3 as origin accelerates delivery of static transaction documents globally by caching content at edge locations, reducing latency for users worldwide.

Option B focuses on vertical scaling (larger instances) and caching with ElastiCache, but it does not address global content delivery optimally. AWS Global Accelerator accelerates network traffic but is better suited for accelerating TCP and UDP traffic; CloudFront is generally preferred for HTTP content delivery.

Option C migrates workloads to Lambda and Aurora global databases, which is an advanced and potentially costly redesign that may not be necessary. Option D suggests moving to ECS and multi-AZ RDS but does not address global content delivery efficiently.

Therefore, option A uses proven scalability and caching best practices aligned with AWS Well-Architected Framework pillars for performance and operational excellence.

The most effective and AWS-recommended way to mitigate unwanted traffic at the edge is to use AWS WAF integrated with CloudFront. Option D allows the architect to block or throttle malicious traffic before it reaches the ALB or EC2 instances.

Rate-based rules automatically block IP addresses that exceed a defined request threshold, making them ideal for mitigating abusive traffic patterns. This reduces load on backend resources and improves performance for legitimate users.

Options A, B, and C are less effective or introduce unnecessary cost and complexity. Shield does not provide granular rate control, Auto Scaling increases cost, and NACLs are difficult to manage dynamically.

Therefore, D is the correct and most secure solution.

The correct answer is A because the application is a global Voice over IP workload that needs low latency , high availability , and automated failover across AWS Regions . AWS Global Accelerator is specifically designed to improve the availability and performance of global applications by routing user traffic over the AWS global network to the optimal healthy endpoint. It uses static Anycast IP addresses , which means users connect through fixed IP addresses that do not depend on client-side DNS or IP address caching behavior.

This is especially valuable for latency-sensitive applications such as Voice over IP, where rapid routing decisions and fast failover are critical. Global Accelerator continuously monitors endpoint health and can automatically direct traffic to healthy endpoints in another AWS Region if a failure occurs. This supports the requirement for cross-Region failover with minimal disruption.

Option B is incorrect because Route 53 geolocation routing directs traffic based on user location, but DNS-based routing can be affected by client-side caching and does not provide the same performance acceleration or fast failover behavior as Global Accelerator. Option C is incorrect because Amazon CloudFront is primarily a content delivery network for HTTP and similar content distribution scenarios, not the preferred service for real-time Voice over IP traffic. Option D is incorrect because an Application Load Balancer does not by itself provide global routing or multi-Region failover.

AWS best practices for global, latency-sensitive applications recommend AWS Global Accelerator when the goal is to improve performance, use the AWS backbone network, and provide health-based failover without depending on DNS cache expiration. Therefore, AWS Global Accelerator with health checks is the best solution.

Incremental Exports: Exporting DynamoDB data directly to Amazon S3 provides an automated, serverless way to make data available for analytics without operational overhead.

Analytics-Friendly Storage: Amazon S3 supports long-term analytics workloads and can integrate with tools like Athena or QuickSight.

DynamoDB Export to S3 Documentation

For bidirectional communication such as chat applications, Amazon API Gateway WebSocket API is the correct service. WebSocket APIs allow clients to establish long-lived connections and exchange messages with the backend Lambda functions in real time.

HTTP APIs and REST APIs are suitable for request-response models, not continuous two-way communication. CloudFront cannot maintain stateful WebSocket connections, so only Option C fits the requirements for a real-time, bidirectional application.

Aurora Global Database: Provides cross-Region disaster recovery with minimal data loss ( < 1 second replication latency).

S3 Cross-Region Replication (CRR): Automatically replicates data between buckets in different Regions.

“Aurora Global Database replicates your data with typically under one second of latency to secondary Regions.”

“Amazon S3 Cross-Region Replication automatically replicates objects across buckets in different AWS Regions.”

— Aurora Global Database

— S3 Cross-Region Replication

This meets the multi-Region DR requirement with minimal data loss.

A warm pool is an Auto Scaling feature that keeps instances in a pre-initialized state so they can quickly join the active group when scaling is required. This reduces the time needed for instance bootstrapping and makes new capacity available almost instantly. Option A only increases capacity limits but does not address slow boot times. Option C merely extends grace periods without solving the delay. Option D forces overprovisioning, which is wasteful and not aligned with cost optimization. Using a warm pool (B) directly addresses the problem by reducing response time to scaling events.

Explanation (AWS Docs):

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache specifically for DynamoDB. It reduces read load and latency without requiring code changes (only SDK config). This is the least development effort.

“Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available in-memory cache for DynamoDB that delivers microsecond read performance and requires minimal application changes.”

— Amazon DAX

The correct answer is C because the company already uses Amazon FSx for NetApp ONTAP and requires a disaster recovery solution in a secondary Region that preserves access through the same protocols , specifically CIFS and NFS . The most appropriate solution is to deploy a second FSx for ONTAP file system in the secondary Region and use NetApp SnapMirror to replicate data between Regions. SnapMirror is built for ONTAP-based replication and is the native mechanism for efficient, storage-level disaster recovery.

This option provides the least operational overhead because it uses the capabilities already integrated into FSx for ONTAP rather than introducing another storage platform or custom replication tooling. It also preserves protocol compatibility, so applications in the recovery Region can continue to access data through CIFS and NFS without architectural changes.

Option A is incorrect because replicating data to Amazon S3 does not preserve native CIFS and NFS file shares. Option B can support recovery, but backups and restores are not the best fit for an active DR strategy where the secondary Region needs accessible replicated storage with the same protocols and lower recovery effort. Option D is incorrect because Amazon EFS does not provide CIFS/SMB support in the same way as FSx for ONTAP and would require a platform change.

AWS guidance for FSx for ONTAP disaster recovery favors using SnapMirror replication to another FSx for ONTAP deployment. This approach is protocol-compatible, efficient, and operationally simpler than building a custom DR workflow.

The requirements include:

Scalability: The solution must scale as video files are uploaded.

Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

Analysis of Options:

Option A:

AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

Option B:

AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

Option C:

Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

Option D:

Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

AWS References:

Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

AWS Step Functions:AWS Documentation - Step Functions

AWS Fargate:AWS Documentation - Fargate

Comparison of Storage Services:AWS Storage Options

By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

Given the large size (180 TB) of the database and the time constraint,AWS Snowball Edge Storage Optimizedis the best solution. Snowball Edge allows for the physical transfer of large datasets to AWS efficiently without relying on slow internet connections.AWS DMSandSCTcan be used to perform ongoing replication of any changes made during the migration, ensuring minimal downtime.

Option B (VPN): Using a 100 Mbps internet connection would take far too long to transfer 180 TB.

Option C (Direct Connect): Establishing a 10 Gbps Direct Connect link might not be feasible within the 2-week timeframe.

Option D (DataSync over internet): With the existing internet connection, DataSync would also take too long.

AWS References:

AWS Snowball Edge

AWS DMS

To achieve high availability for the website, two key actions should be taken:

Amazon RDS for MySQL Multi-AZ: By migrating the database to an RDS for MySQL Multi-AZ deployment, the database becomes highly available. Multi-AZ provides automatic failover from the primary database to a standby replica in another Availability Zone, ensuring database availability even in the case of an AZ failure.

Application Load Balancer and Auto Scaling: Deploying an Application Load Balancer (ALB) in front of the EC2 instances ensures that traffic is evenly distributed across the instances. Configuring an Auto Scaling group to run EC2 instances across multiple Availability Zones ensures that the application remains available even if one instance or one AZ becomes unavailable. This setup enhances fault tolerance and improves reliability.

Why Not Other Options?:

Option A (Internet Gateway per AZ): Internet Gateways are region-wide resources and do not need to be provisioned per Availability Zone. This option does not contribute to high availability.

Option C (DynamoDB + Auto Scaling): DynamoDB would require changes to the application code to switch from MySQL, which is not possible per the question ' s constraints.

Option D (DataSync): AWS DataSync is used for data transfer and synchronization, not for achieving high availability for a database.

AWS References:

Amazon RDS Multi-AZ Deployments- Explanation of how Multi-AZ deployments work in Amazon RDS.

Application Load Balancing- Details on how to configure and use ALB for distributing traffic across multiple instances.

To ensure container images are secure and to notify administrators about vulnerabilities, the solution needs (1) a vulnerability scanning capability for container images and (2) a notification mechanism that alerts when findings occur. Amazon Inspector provides automated security assessments and can scan container images stored in Amazon ECR to identify software vulnerabilities and unintended network exposure patterns, producing findings that can be acted upon. Therefore, D addresses the core requirement of detecting vulnerabilities in container images.

To notify administrators with minimal custom work, AWS Config can help by evaluating resources against desired configurations and integrating with notifications through AWS services (for example, via Amazon SNS using Config rules/conformance packs). Using the AWS Config conformance pack for Amazon ECS helps establish a managed set of compliance checks aligned to ECS-related best practices. While Inspector is the system that detects vulnerabilities, Config can be used to enforce and monitor governance controls around the container environment and can trigger notifications when noncompliance is detected. In exam patterns, pairing an Inspector detection capability with a managed governance/notification framework like Config is a common “two-part” answer.

The other options do not meet the requirement: A (privileged mode) can increase risk rather than improve image security; logging does not equal vulnerability detection. C is unrelated because AWS WAF protects web applications at the edge and does not scan container images for CVEs. E is incorrect because Parameter Store stores configuration data and secrets; it does not encrypt container images (ECR encryption at rest is handled by AWS-managed mechanisms and KMS integration, not Parameter Store).

So D provides scanning and B supports managed compliance/notification controls with low operational overhead.

Detailed Explanation:

A. IAM identity provider:Does not support centralized management across multiple accounts.

B. AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.

C. IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D. Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.

Amazon EFS Lifecycle Management enables automatic cost optimization by transitioning files that haven’t been accessed for a defined period (e.g., 7 days) from EFS Standard to EFS Infrequent Access (IA).

“Amazon EFS Lifecycle Management automatically moves files that haven’t been accessed for a set period to the EFS Infrequent Access storage class, reducing storage costs for infrequently accessed files.”

— Amazon EFS Documentation

Key Points:

EFS IA is ideal for files larger than 128 KB and accessed less frequently.

It’s seamless — no code or tools needed.

Meets requirement for cost optimization and high availability.

Incorrect Options:

A: File Gateway adds unnecessary complexity and does not use EFS.

B: Storing files locally breaks shared access and resiliency.

D: Glacier Deep Archive is cold storage — not " readily available. "

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. By creating a Config rule, you can automatically check whether your Amazon EBS volumes are encrypted and flag those that are not, with minimal cost and configuration effort.

AWS Config Rule: AWS Config provides managed rules that you can use to automatically check the compliance of your resources against predefined or custom criteria. In this case, you wouldcreate a rule to evaluate EBS volumes and determine if they are encrypted. If a volume is not encrypted, the rule will flag it, allowing you to take corrective action.

Operational Overhead: This approach significantly reduces operational overhead because once the rule is in place, it continuously monitors your EBS volumes for compliance, and there’s no need for manual checks or custom scripting.

Why Not Other Options?:

Option A (Lambda with API calls and EventBridge): While this can work, it involves writing and maintaining custom code, which increases operational overhead compared to using a managed AWS Config rule.

Option B (API calls on Fargate): Running API calls on Fargate is more complex and costly compared to using AWS Config, which provides a simpler, managed solution.

Option C (IAM policy with Cost Explorer): This option does not directly enforce encryption compliance and involves manual intervention, making it less efficient and more prone to errors.

AWS References:

AWS Config Rules- Overview of AWS Config rules and how they can be used to evaluate resource configurations.

Amazon EBS Encryption- Information on how to manage and enforce encryption for EBS volumes.

Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D — enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

To process each form exactly once and ensure no data is lost, using an Amazon SQS FIFO (First-In-First-Out) queue is the most appropriate solution. SQS FIFO queues guarantee that messages are processed in the exact order they are sent and ensure that each message is processed exactly once. This ensures data consistency and reliability, both of which are crucial for processing user-submitted forms without data loss.

SQS acts as a buffer between the web application server and the worker tier, ensuring that submitted forms are stored reliably and forwarded to the worker tier for processing. This also decouples the application, improving its scalability and resilience.

Option B (API Gateway): API Gateway is better suited for API management rather than acting as a message queue for form processing.

Option C (SQS Standard Queue): While SQS Standard queues offer high throughput, they do not guarantee exactly-once processing or the strict ordering needed for this use case.

Option D (Step Functions): Step Functions are useful for orchestrating workflows but add unnecessary complexity for simple message queuing and form processing.

AWS References:

Amazon SQS FIFO Queues

Decoupling Application Tiers Using Amazon SQS

AWS documentation states that for API Gateway REST APIs, AWS WAF must be deployed in the same Region to apply web access control lists. WAF geographic match rules can block requests from non-US Regions. Deploying the WAF and API Gateway in the same Region ensures minimal latency because the traffic does not traverse Regions.

Options B and C violate the requirement that WAF and API Gateway must be in the same Region. Option D uses HTTP API, which supports WAF only indirectly via regional ALBs, not directly as REST API does.

=====================================================

AWS documentation states that EC2 Auto Scaling is the recommended, cost-effective, and fault-tolerant method to manage workloads with predictable or varying demand. Auto Scaling automatically adds instances during peak traffic and terminates them when demand is low, reducing compute cost while maintaining availability across multiple Availability Zones.

Reserved Instances (Option B) would force the company to pay for peak capacity all day, which is not cost-effective.

Stopping instances manually (Option C) or vertically scaling instances (Option D) reduces fault tolerance and increases operational overhead.

=====================================================

Compute Savings Plans apply to EC2, AWS Fargate, and AWS Lambda usage, maximizing coverage for mixed architectures while retaining flexibility across instance families, regions, OS, and tenancy. For private connectivity, Lambda functions must be configured with VPC access to attach ENIs in the target subnets, enabling direct network access to EC2 in private subnets (no public subnets are required for intra-VPC communication). EC2 Instance Savings Plans only discount EC2 usage and are tied to a specific instance family in a region, reducing flexibility and leaving Lambda costs undiscounted. Keeping Lambda in the service VPC prevents direct access to private EC2 without VPC configuration. Thus, a 1-year Compute Savings Plan plus connecting Lambda to the private subnets minimizes total cost and meets connectivity needs.

AWS Secrets Manager is the recommended service for storing database credentials and performing automated rotation. Any Lambda function version or alias can fetch the latest secret value at runtime, ensuring no outdated credentials exist in deployed versions.

Environment variables (Option C) are static per version. Embedding credentials in code (Option B) is insecure and requires redeployment. Parameter Store (Option D) supports rotation but requires more configuration and is not as seamless as Secrets Manager for database credential rotation.

=====================================================

For steady, predictable EC2 usage with potential changes in instance families over time, AWS recommends Savings Plans. Compute Savings Plans “apply to any EC2 instance regardless of region, instance family, operating system, or tenancy,” and also apply to AWS Fargate and AWS Lambda, delivering the most flexibility over a multi-year horizon. A 3-year term provides the highest discount among Savings Plans for long-lived workloads. EC2 Instance Savings Plans are limited to a chosen instance family in a region; as needs evolve (e.g., size or family changes), discounts may not fully apply. Spot Instances are not appropriate for long, interruption-sensitive jobs because Spot capacity can be reclaimed with short notice. Therefore, a Compute Savings Plan (3-year) best matches cost optimization with flexibility for growth and changes.

The best solution to query and filter S3 data directly without downloading the full object is to use Amazon Athena.

Amazon Athena is an interactive query service that lets you use SQL to analyze structured, semi-structured, and unstructured data directly in Amazon S3, without needing to move or transform the data.

It supports formats like CSV, JSON, ORC, Parquet, and Avro and integrates with AWS Glue Data Catalog for schema management.

Athena is serverless, meaning there’s no infrastructure to manage, and it ' s billed per query, which keeps it cost-effective.

Option B (EMR) is heavier and requires managing a cluster.

Option C (API Gateway) is not suited for querying S3 datasets.

Option D (ElastiCache) is a memory store, not a query engine.

🔗 Reference:

What is Amazon Athena?

Setting the RDS backup retention policy to 30 days forautomated backupsthrough AWS Backup allows the company to retain backups cost-effectively. Manual backups, however, are notautomatically managed by RDS ' s retention policy, so they need to be manually deleted if they are older than 30 days to avoid unnecessary storage costs.

Key AWS features:

Automated Backups: Can be configured with a retention policy of up to 35 days, ensuring that older automated backups are deleted automatically.

Manual Backups: These are not subject to the automated retention policy and must be manually managed to avoid extra costs.

AWS Documentation: AWS recommends using backup retention policies for automated backups while manually managing manual backups​.

A. Amazon EFS:Provides a scalable, shared file storage solution with minimal operational overhead. It ' s ideal for Linux-based workloads.

B. Amazon FSx for NetApp ONTAP:More suited for workloads requiring NetApp-specific features.

C. Amazon EBS:Requires manual management of file shares, which increases operational overhead.

D. Amazon FSx for Windows File Server:Best suited for Windows SMB workloads with low operational overhead.

E. Amazon FSx for OpenZFS:Better for Linux and Unix-based workloads.

SSE-KMS (Server-side encryption with AWS Key Management Service) not only encrypts data at rest but also integrates with AWS CloudTrail to provide detailed logs of key usage — meeting the audit requirement.

“SSE-KMS provides the ability to audit key usage to see who used the key and when, via AWS CloudTrail.”

— Amazon S3 Encryption Documentation

Benefits:

Encryption with customer-managed or AWS-managed KMS keys

Audit trails of key usage events

Fine-grained access control

Incorrect Options:

A: SSE-S3 does not support auditing of key usage.

C: SSE-C does not integrate with CloudTrail or KMS.

D: Self-managed keys require external key infrastructure and custom audit logging.

The issue in this case is related to the processing tier, where EC2 instances are overwhelmed at peak times, causing delays.Option D, using anAmazon EC2 Auto Scaling target tracking policybased on theApproximateNumberOfMessagesin the SQS queue, is the best solution.

Auto Scaling with Target Tracking:

Target tracking policiesdynamically scale out or in based on a specific metric. For this use case, you can monitor theApproximateNumberOfMessagesin the SQS queue. When the number of messages (orders) in the queue increases, the Auto Scaling group will scale out more EC2 instances to handle the additional load, ensuring that the queue doesn’t build up and cause delays.

This solution is ideal for handling variable and unpredictable peak times, as Auto Scaling can automatically adjust based on real-time load rather than scheduled times.

Why Not the Other Options?:

Option A (Scheduled Scaling): Scheduled scaling works well for predictable peak times, but this company experiencesunpredictable peak usage, making scheduled scaling less effective.

Option B (ElastiCache for Redis): Adding a caching layer would help if DynamoDB were the bottleneck, but in this case, the issue is CPU overload on EC2 instances in the processing tier.

Option C (CloudFront): CloudFront would help cache static content from the web tier, but it wouldn’t resolve the issue of the processing tier’s overloaded EC2 instances.

AWS References:

Amazon EC2 Auto Scaling Target Tracking

Amazon SQS ApproximateNumberOfMessages

AWS Backup is a fully managed backup service designed to centralize and automate data protection across AWS services including EC2 and RDS. It allows users to define backup schedules (backup plans) and automatically create and retain backups. AWS Backup also offers restore testing plans, allowing users to automate the validation of backups by restoring them in a controlled manner. This service is built to minimize operational overhead by removing the need to manage custom scripts, manual processes, or additional orchestration services. This aligns with AWS best practices for resilience, automation, and operational excellence.

Reference Extract from AWS Documentation / Study Guide:

" AWS Backup enables you to centralize and automate data protection across AWS services. You can create backup plans, schedule backups, and set lifecycle policies. AWS Backup also enables restore testing to verify your backup integrity, with minimal manual intervention. "

Source: AWS Certified Solutions Architect – Official Study Guide, Resiliency and Disaster Recovery section; AWS Backup User Guide.

To grant cross-account access to an Amazon S3 bucket, you can use a bucket policy that specifies the AWS account ID of the account you want to grant access to. This method allows Account B to access the S3 bucket in Account A without the need for additional services or configurations.

To optimize costs for long-term data storage, AWS recommends using S3 Lifecycle policies to automate transitions across storage classes and ultimately expire old data.

S3 Standard-IA is suited for data that is accessed less frequently but requires millisecond retrieval times. It is ideal for 6-month-old data still used in monthly reports.

S3 Glacier Deep Archive is the lowest-cost option, designed for data accessed once or twice a year, such as regulatory audits — perfect for 2+ year-old data.

Lifecycle expiration rules allow S3 to automatically delete objects older than 7 years, aligning with the business retention policy.

These transitions are cost-effective and fully automated, aligning with the Cost Optimization pillar in the AWS Well-Architected Framework.

🔗 Reference:

S3 Storage Class Comparison

Lifecycle Management

To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.

Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.

VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.

AWS Secrets Manager is the managed service for securely storing, rotating, and retrieving database credentials. When you store Aurora credentials in Secrets Manager and enable automatic rotation, Secrets Manager updates the credentials in both the database and the stored secret.

Each Lambda function version or alias can call Secrets Manager at runtime to retrieve the current secret value, so even older deployed Lambda versions that use an alias will always obtain the most recent credentials without redeployment.

Why others are not suitable:

B: Embeds credentials in code, requiring redeployment on every rotation and violating security best practices.

C: Environment variables are version-specific; old aliases would continue using outdated values unless you redeploy or change them.

D: Parameter Store can store and rotate secrets but is less integrated for database credential rotation than Secrets Manager; Secrets Manager is the purpose-built minimal-overhead choice here.

For logs that are:

Written and processed within a short period (24 hours)

Accessed quickly for compute/analytics

With unknown object count and size

Amazon S3 Standard is the most appropriate and cost-effective. Intelligent-Tiering is designed for data stored for longer periods (typically 30+ days) with changing access patterns and charges a per-object monitoring and automation fee that becomes inefficient for very short-lived objects.

S3 Glacier Deep Archive and S3 One Zone-IA are optimized for long-term archival or infrequently accessed data with retrieval time or availability constraints that are not suitable for nightly active processing.

Amazon FSx for Lustreis a high-performance, fully managed file system that is ideal for applications requiring low-latency access to shared storage, especially in use cases like gaming where high throughput and low latency are essential. It integrates easily with EC2 instances, providing fast and scalable shared storage, and supports custom protocols for specific application needs.

Option A (FSx File Gateway): FSx File Gateway is designed for hybrid cloud storage and is not suited for high-performance gaming workloads.

Option B (EC2 Windows instance): Setting up a file share on a Windows instance would introduce additional administrative overhead and would not provide the necessary performance.

Option C (EFS with Lustre): While Lustre is integrated with FSx, EFS does not natively support Lustre.

AWS References:

Amazon FSx for Lustre

TheAWS_PROXY integration with Amazon API Gatewayallows the API to invoke a Lambda function synchronously, making it a suitable solution for the custom authorization mechanism and text translation use case.

Synchronous Invocation: The API Gateway REST API with AWS_PROXY integration enables synchronous processing of HTTP requests and responses, which is required for document translation.

Custom Authorization: API Gateway supports custom authorizers for fine-grained access control.

Lambda Function Execution: Although Lambda ' s execution time limit is 15 minutes, this is sufficient for the 6-minute document translation requirement.

Why Other Options Are Not Ideal:

Option B:

Introducing a Lambda function URL to invoke another Lambda function unnecessarily complicates the architecture.Not efficient.

Option C:

Asynchronous invocation cannot guarantee real-time response delivery for document translation tasks.Not suitable.

Option D:

Hosting the API on an EC2 instance increases operational overhead. HTTP PROXY integration does not add significant benefits here.Not cost-effective or efficient.

AWS References:

API Gateway Lambda Proxy Integration:AWS Documentation - Proxy Integration

Custom Authorization in API Gateway:AWS Documentation - Custom Authorization

Amazon DynamoDB provides single-digit millisecond performance at any scale and is fully managed to handle millions of catalog records. It is ideal for structured catalog data such as product metadata and scales seamlessly during high-traffic events like sales. Amazon S3 is optimized for storing unstructured large objects such as videos and manuals, with virtually unlimited scalability and high durability. Option A (RDS) would not handle massive scale or traffic spikes as efficiently. Option C overloads DynamoDB by forcing it to store large binary data, which is not its purpose. Option D (DocumentDB) is suitable for JSON-like documents but not optimal for storing large media files and would add operational complexity. Therefore, option B represents the best separation of structured and unstructured data storage.

In Amazon Aurora, a custom endpoint is a feature that allows you to create a load-balanced endpoint that directs traffic to a specific set of instances in your Aurora DB cluster. This is particularly useful when you want to route traffic to a subset of instances that have different configurations or when you want to isolate specific workloads (e.g., reporting queries) to certain instances.

Custom Endpoint: The correct solution is to create a custom endpoint that includes the three Aurora Replicas that the department wants to use for near-real-time reporting. This custom endpoint will distribute the reporting queries only across the three selected replicas with the specified compute and memory configurations, ensuring that these queries do not affect the rest of the DB cluster.

Other Options:

Option B (Create a three-node cluster clone): This would create a separate cluster with its own resources, but it is not necessary and could incur additional costs. Also, it doesn ' t leverage the existing replicas.

Option C (Use any of the instance endpoints): This would involve manually managing connections to individual instances, which is not scalable or automatic.

Option D (Use the reader endpoint): The reader endpoint would distribute the read queries across all replicas in the cluster, not just the selected three. This would not meet the requirement to limit the reporting queries to only three specific replicas.

AWS References:

Amazon Aurora Endpoints- Provides detailed information on the different types of endpoints available in Aurora, including custom endpoints.

Custom Endpoints in Amazon Aurora- Specific documentation on how to create and use custom endpoints to direct traffic to selected instances in an Aurora cluster.

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

AWS Secrets Manager is designed specifically to securely store and manage sensitive information such as database credentials. It integrates seamlessly with AWS services like Lambda and RDS, and it provides automatic credential rotation with minimal operational overhead.

AWS Secrets Manager: By storing the database credentials in Secrets Manager, you ensure that the credentials are securely stored, encrypted, and managed. Secrets Manager provides a built-in mechanism to automatically rotate credentials at regular intervals (e.g., every 30 days), which helps in maintaining security best practices without requiring additional manual intervention.

Lambda Integration: The Lambda function can be easily configured to retrieve the credentials from Secrets Manager using the AWS SDK, ensuring that the credentials are accessed securely at runtime.

Why Not Other Options?:

Option A (Parameter Store with Rotation): While Parameter Store can store parameters securely, Secrets Manager is more tailored for secrets management and automatic rotation, offering more features and less operational overhead.

Option C (Encrypted Lambda environment variable): Storing credentials directly in Lambda environment variables, even when encrypted, requires custom code to manage rotation, which increases operational complexity.

Option D (KMS with automatic rotation): KMS is for managing encryption keys, not for storing and rotating secrets like database credentials. This option would require more custom implementation to manage credentials securely.

AWS References:

AWS Secrets Manager- Detailed documentation on how to store, manage, and rotate secrets using AWS Secrets Manager.

Using Secrets Manager with AWS Lambda- Guidance on integrating Secrets Manager with Lambda for secure credential management.

Detailed Explanation:

A. EventBridge Rule:Detects modifications to CloudFront distributions in real time and triggers the Lambda function for further action.

B. ALB + Config:Focuses on ALB security violations, not relevant for CloudFront logging changes.

C. Lambda + SNS:Provides real-time notifications about changes in logging configuration.

D. GuardDuty:Focuses on threat detection, not logging configuration changes.

E. API Gateway + WAF:Unrelated to CloudFront logging changes.

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

S3 Object Lock in Compliance Mode prevents objects from being deleted or overwritten for a fixed, specified retention period. Compliance Mode is specifically designed to meet regulatory requirements, ensuring that no user, including the root user, can modify or delete the object during the retention period.

Reference Extract:

" S3 Object Lock in compliance mode protects objects from being deleted or overwritten during the specified retention period, helping meet regulatory retention requirements. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Object Lock and Compliance section.

The requirements focus on cost optimization, automatic lifecycle management, and throughput scaling based on file system size. Amazon EFS provides two throughput modes: bursting and provisioned. Bursting throughput automatically scales with the size of the file system, which directly aligns with the company’s needs.

Option C is correct because it combines two essential features. First, configuring lifecycle management to transition files from Standard to Infrequent Access (IA) after 30 days reduces storage costs for infrequently accessed data. Second, enabling automatic transition back to Standard storage upon access ensures that performance-sensitive reporting workloads are not negatively affected when older files are read.

Using bursting throughput mode allows throughput to grow naturally as the file system size increases, eliminating the need to manually manage or pay for fixed throughput levels. This is ideal for workloads with variable access patterns.

Option A incorrectly specifies provisioned throughput, which is designed for predictable, high-throughput workloads and incurs additional cost. Option B ignores lifecycle transitions. Option D does not account for automatic return to Standard storage, which could lead to suboptimal performance for accessed files.

Therefore, C provides the best balance of performance, cost efficiency, and minimal operational overhead.

Explanation (AWS Docs):

To allow private subnets to access the internet, deploy NAT gateways in a public subnet in each AZ for high availability. NAT instances are less scalable and less fault-tolerant.

“To create a highly available architecture, create a NAT gateway in each Availability Zone and configure your routing to use it.”

— NAT Gateway Overview

Option A: Importing customer-managed keys into AWS KMS ensures that encryption key material remains under the company’s control.

Option D: S3 Glacier with server-side encryption using customer-provided keys (SSE-C) complies with the need for controlled encryption and provides cost-effective storage for backups.

AWS Key Management Service Importing Keys Documentation,S3 Encryption Documentation

EC2 Account Attributes: Amazon EC2 allows you to set account attributes to automatically encrypt new EBS volumes. This ensures that all new volumes created in your account are encrypted by default.

Configuration Steps:

Go to the EC2 Dashboard.

Select " Account Attributes " and then " EBS encryption " .

Enable default EBS encryption and select the default AWS KMS key or a customer-managed key.

Prevention of Unencrypted Volumes: By setting this account attribute, you ensure that it is not possible to create unencrypted EBS volumes, thereby enforcing compliance with security requirements.

Operational Efficiency: This solution requires minimal configuration changes and provides automatic enforcement of encryption policies, reducing operational overhead.

AWS best practices strongly recommend enabling MFA on the root user, but they also emphasize planning for MFA device loss. AWS allows the configuration of multiple MFA devices for the root user, which provides redundancy and ensures continued access in disaster scenarios. Option B directly addresses the requirement by enabling a backup authentication method without weakening security controls.

Adding multiple MFA devices ensures that if one device is lost, damaged, or unavailable, the organization can still authenticate securely using the secondary device. This approach maintains strong security while eliminating the risk of permanent root account lockout. It also avoids time-consuming recovery processes that require contacting AWS Support and proving account ownership.

Option A is not sufficient because IAM administrator accounts do not replace root access and cannot perform certain root-only actions. Options C and D are not feasible because new administrator accounts or policy changes cannot be made if root access is already lost.

Therefore, B is the correct and AWS-recommended solution to ensure uninterrupted, secure access to the root account while maintaining MFA protection.

For predictable workloads requiring a relational database, Amazon RDS for MySQL offers a managed, cost-effective solution. Storing product images in Amazon S3 is highly durable and cost-efficient, especially for static assets like images. This combination leverages managed services to reduce operational overhead and costs.

A Network Load Balancer (NLB) supports IP address-based targets, which allows the use of both EC2 and on-premises endpoints. It also supports a static IP address or Elastic IP, which meets the requirement for a fixed IP address needed by some users.

NLB offers high performance, low latency, and minimal operational overhead. Application Load Balancer only supports instance or Lambda targets, not IP addresses outside the VPC. Route 53 Resolver is for DNS, and API Gateway is for HTTP-based APIs, not web applications.

AWS Global Accelerator reduces latency by directing users to the optimal Regional endpoint based on global network health and proximity. Amazon CloudFront caches static and dynamic content at edge locations for ultra-low latency access worldwide, improving performance and reducing server load.

Amazon RDS Multi-AZ deployments provide automatic failover for relational databases such as MySQL, ensuring high availability and durability. The feature maintains synchronous replication between a primary DB instance and a standby in a separate Availability Zone. AWS guarantees that failover typically completes within minutes, ensuring an RTO and RPO of less than 2 minutes. Option A requires manual promotion of replicas, which cannot meet the strict RTO/RPO requirement. Option C depends on custom scripts and manual synchronization, introducing operational risk. Option D creates active-active EC2-based databases, which do not provide synchronous replication or automated failover. Therefore, Multi-AZ RDS (B) is the managed, resilient, and operationally efficient solution that meets the business requirements.

The correct answer is D because the application is written entirely in JavaScript and runs in users’ web browsers , which means the workload is essentially a static web application . Static assets such as HTML, JavaScript, CSS, and related files are best hosted on Amazon S3 , which provides highly durable and low-cost object storage. Putting Amazon CloudFront in front of the S3 bucket allows the application to be delivered globally through edge locations, which reduces latency for users in many countries while also lowering the load on the origin.

This design is more cost-effective than continuing to serve the application from EC2 instances behind an ALB because it eliminates most of the compute and load balancing cost for static content delivery. CloudFront caches the content close to users and can improve performance worldwide without the complexity of deploying full application stacks in multiple Regions.

Option A is less cost-effective because it still depends on the ALB and EC2 instances as the origin for content that is static. Also, CloudFront requires an ACM certificate in us-east-1 for custom domain names, so reusing the existing certificate from the ALB is not the right assumption. Option B introduces significant multi-Region infrastructure cost and management overhead. Option C is unnecessarily complex because multiple S3 buckets in multiple Regions are not required when CloudFront can cache globally from a single origin.

AWS best practices for static web applications recommend Amazon S3 for storage and Amazon CloudFront for global distribution . This approach provides strong performance, simplicity, and cost optimization.

Key Problem:

Delayed Inventory table updates during peak sales.

DynamoDB Streams and Lambda processing require optimization.

Analysis of Options:

Option A:Adding a GSI is unrelated to the issue. It does not address stream processing delays or capacity issues.

Option B:Optimizing batch size reduces latency and allows the Lambda function to process larger chunks of data at once, improving performance during peak load.

Option C:Increasing write capacity for the Inventory table ensures that it can handle the increased volume of updates during peak times.

Option D:Increasing read capacity for the Orders table does not directly resolve the issue since the problem is with updates to the Inventory table.

Option E:Increasing Lambda timeout only addresses longer processing times but does not solve the underlying throughput problem.

AWS References:

DynamoDB Streams Best Practices

Provisioned Throughput in DynamoDB

The Amazon CloudWatch agent is required to collect memory utilization metrics (as memory metrics are not reported by default). A target tracking policy is the simplest and most effective way to scale based on a custom metric such as mem_used_percent.

Reference Extract:

" Install the CloudWatch agent to collect memory metrics, and create a target tracking scaling policy using these custom metrics. "

Source: AWS Certified Solutions Architect – Official Study Guide, Monitoring and Scaling section.

When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type " external " or " imported " ), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.

You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.

AWS Documentation Extract:

" To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy. "

(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)

Other options:

A: You cannot create a new KMS key with the same key ID as an existing one.

B: Deleting and recreating the key disrupts application access because the key ID changes.

D: Automatic rotation is only available for AWS-managed keys, not for imported key material.