SAP-C02 AWS Certified Solutions Architect - Professional Question and Answers

For an application requiring low-latency access to financial information and high availability with a Recovery Time Objective (RTO) of 30 seconds, using Amazon DynamoDB for data storage and Amazon QuickSight for reporting is the most suitable solution. DynamoDB offers fast, consistent, and single-digit millisecond latency for data retrieval, meeting the latency requirements. QuickSight's ability to directly query DynamoDB datasets and provide embedded dashboards for reporting enables real-time financial report generation. This combination ensures high availability and meets the RTO requirement, providing a robust solution for the application's needs.

Amazon DynamoDB Documentation: Describes the features and benefits of DynamoDB, emphasizing its performance and scalability for applications requiring low-latency access to data.

Amazon QuickSight Documentation: Provides information on using QuickSight for creating and embedding interactive dashboards, including direct querying of DynamoDB datasets for real-time data visualization.

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

The most secure and manageable solution is to useVPC interface endpointsforS3andSystems Manager, and establishVPC peeringto privately access the patch repo in the core account.

Systems Manager VPC setup

The CloudFront managed prefix list contains the IP ranges for all CloudFront edge locations. By updating the ALB security group ingress to allow access only from this prefix list, the web application will be accessible only by using the CloudFront endpoint. This solution requires the least amount of effort compared to the other options, which involve creating new resources or updating existing ones. This solution also avoids hard-coding IP addresses, which can change over time.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

The company should create a new AWS WAF web ACL. The company should add a new rule that blocks requests that match the SQL database rule group. The company should set the web ACL to allow all other traffic that does not match those rules. The company should attach the web ACL to the ALB in front of the ECS tasks. This solution will meet the requirements because AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked1. By creating a new AWS WAF web ACL, the company can create a collection of rules that define the conditions for allowing or blocking web requests. By adding a new rule that blocks requests that match the SQL database rule group, the company can prevent SQL injection attacks from reaching the ECS API service. The SQL database rule group is a managed rule group provided by AWS that contains rules to protect against common SQL injection attack patterns2. By setting the web ACL to allow all other traffic that does not match those rules, the company can ensure that legitimate traffic can access the API service. By attaching the web ACL to the ALB in front of the ECS tasks, the company can apply the web security rules to all requests that are forwarded by the load balancer.

The other options are not correct because:

Creating a new AWS WAF Bot Control implementation would not prevent SQL injection attacks from reaching the ECS API service. AWS WAF Bot Control is a feature that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities. However, it does not protect against SQL injection attacks, which are malicious attempts to execute unauthorized SQL statements against your database3.

Creating a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks would not prevent SQL injection attacks from reaching the ECS API service. Monitoring mode is a feature that enables you to evaluate how your rules would perform without actually blocking any requests. However, this mode does not provide any protection against attacks, as it only logs and counts requests that match your rules4.

Creating a new AWS WAF web ACL and creating a new empty IP set in AWS WAF would not prevent SQL injection attacks from reaching the ECS API service. An IP set is a feature that enables you to specify a list of IP addresses or CIDR blocks that you want to allow or block based on their source IP address. However, this approach would not be effective or efficient against SQL injection attacks, as it would require constantly updating the IP set with new IP addresses of attackers, and it would not block attackers who use proxies or VPNs.

Using AWS CloudFormation to launch a stack with an Application Load Balancer (ALB) in front of an Amazon EC2 Auto Scaling group spanning three Availability Zones, a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a Retain deletion policy, and an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB will ensure that

On-demand capacity mode is the function of Dynamodb.https://aws.amazon.com/blogs/news/running-spiky-workloads-and-optimizing-costs-by-more-than-90-using-amazon-dynamodb-on-demand-capacity-mode/

Amazon DocumentDB Elastic Clustershttps://aws.amazon.com/blogs/news/announcing-amazon-documentdb-elastic-clusters/

Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application. This will provide high availability and scalability, while allowing the company to retain the same database structure as the original application.

A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket. The policy grants the necessary permissions to access the assets in the production S3 bucket.

C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity. By creating a role and attaching the policy, and then defining the development account as a trusted entity, the development account can assume the role and access the production S3 bucket with the read and write permissions.

E. In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account. The IAM policy attached to the group allows the design team members to assume the role created in the production account, thereby giving them access to the production S3 bucket.

Step 1: Create a role in the Production Account; create the role in the Production account and specify the Development account as a trusted entity. You also limit the role permissions to only read and write access to the productionapp bucket. Anyone granted permission to use the role can read and write to the productionapp bucket. Step 2: Grant access to the role Sign in as an administrator in the Development account and allow the AssumeRole action on the UpdateApp role in the Production account. So, recap, production account you create the policy for S3, and you set development account as a trusted entity. Then on the development account you allow the sts:assumeRole action on the role in production account.https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.htmlhttps://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#:~:text=aws%20ssm%20start%2Dsession%20%2D%2Dtarget%20instance%2Did

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

Comprehensive and Detailed Explanation From Exact Extract:

The company wants logging that helps troubleshoot email delivery issues and also wants to search by recipient, subject, and time sent. Amazon SES provides event publishing for email sending and delivery events through configuration sets. With a configuration set, SES can publish sending events such as send, delivery, bounce, complaint, reject, and rendering failure to destinations such as Amazon CloudWatch, Amazon SNS, or Amazon Kinesis Data Firehose. For building a searchable log store, delivering these events into Amazon S3 through Kinesis Data Firehose is an effective approach because S3 provides durable storage and integrates well with query services.

Option A creates an SES configuration set with a Kinesis Data Firehose destination that delivers logs to an S3 bucket. This captures detailed SES event data that is directly useful for troubleshooting delivery issues and retaining historical records for analysis.

Once logs are stored in Amazon S3, Amazon Athena can query the data using SQL. Athena is designed to query data in S3 and is well suited for ad hoc searches. This meets the requirement to search based on recipient, subject, and time sent, assuming the event schema includes these fields (or they are included in the published event payload). Therefore, option C completes the solution by enabling searches over the stored log dataset.

Option B (CloudTrail) records API activity, such as calls made to SES APIs, but it is not designed to capture per-message delivery outcomes (deliveries, bounces, complaints) in a way that supports troubleshooting delivery behavior and detailed email event searching. CloudTrail is useful for auditing who called SES APIs, not for tracking message-level delivery events and outcomes.

Option D (CloudWatch log group) is another valid SES event publishing destination, but if the requirement is to perform flexible searches by multiple dimensions over a potentially large historical dataset, storing the logs in S3 and querying with Athena is a more direct and scalable pattern. Also, the provided option E is incorrect because Athena queries data in S3, not in CloudWatch Logs. CloudWatch Logs has its own query mechanism, but Athena is not used to query CloudWatch Logs directly in the way described.

Option E is incorrect because Amazon Athena does not query CloudWatch Logs as a log store. The typical searchable pattern for Athena is S3-backed datasets.

Therefore, the best combination to satisfy logging and searchable analysis requirements is to publish SES events to S3 via Kinesis Data Firehose (option A) and query those logs with Athena (option C).

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-reduce-nat-gateway-transfer-costs/

VPC endpoint policies enable you to control access by either attaching a policy to a VPC endpoint or by using additional fields in a policy that is attached to an IAM user, group, or role to restrict access to only occur via the specified VPC endpoint

This option will optimize the application’s performance by reducing the overhead of opening and closing database connections for each Lambda invocation. An RDS proxy is a fully managed database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, andmore secure1. It allows applications to pool and share connections established with the database, improving database efficiency and application scalability1. By creating an RDS proxy by using the Lambda console, you caneasily configure your Lambda function to use the proxy endpoint instead of the directdatabase endpoint2. This will enable your Lambda function to reuse existing connections from the proxy’s connection pool, reducing the latency and CPU utilization caused by establishing new connections for each invocation. It will also prevent connection saturation or exhaustion on the database, which can degrade performance or cause errors3.

https://aws.amazon.com/blogs/database/amazon-dynamodb-auto-scaling-performance-and-cost-optimization-at-any-scale/ "As you can see, there are compelling reasons to use DynamoDB auto scaling with actively changing traffic. Auto scaling responds quickly and simplifies capacity management, which lowers costs by scaling your table’s provisioned capacity and reducing operational overhead."

Create a Transit Gateway:

In the shared services account, create a new AWS Transit Gateway. This serves as a central hub to connect multiple VPCs, simplifying the network topology and management.

Configure Transit Gateway Attachments:

Attach the VPC containing the Aurora DB cluster to the transit gateway. This allows the shared services VPC to communicate through the transit gateway.

Create Resource Share with AWS RAM:

Use AWS Resource Access Manager (AWS RAM) to create a resource share for the transit gateway. Share this resource with all development accounts. AWS RAM allows you to securely share your AWS resources across AWS accounts without needing to duplicate them.

Accept Resource Shares in Development Accounts:

Instruct each development team to log into their respective AWS accounts and accept the transit gateway resource share. This step is crucial for enabling cross-account access to the shared transit gateway.

Configure VPC Attachments in Development Accounts:

Each development account needs to attach their VPC to the shared transit gateway. This allows their VPCs to route traffic through the transit gateway to the Aurora DB cluster in the shared services account.

Update Route Tables:

Update the route tables in each VPC to direct traffic intended for the Aurora DB cluster through the transit gateway. This ensures that network traffic is properly routed between the development VPCs and the shared services VPC.

Using a transit gateway simplifies the network management and reduces operational overhead by providing a scalable and efficient way to interconnect multiple VPCs across different AWS accounts.

References

AWS Database Blog on RDS Proxy for Cross-Account Access【48】.

AWS Architecture Blog on Cross-Account and Cross-Region Aurora Setup【49】.

DEV Community on Managing Multiple AWS Accounts with Organizations【51】.

The correct answer is B.

B. This solution meets the requirements because it uses AWS Cost Anomaly Detection, which is a feature of AWS Cost Management that uses machine learning to identify and alert on anomalous spend and usage patterns. By configuring a monitor type of AWS Service and applying a filter of Amazon EC2, the solution can track the EC2 usage as a metric across the organization’s accounts.By configuring an alert subscription with a threshold of 10%, the solution can notify the architecture team via email or AmazonSNS if the EC2 usage is more than 10% higher than the average usage for the last 30 days12

A. This solution is incorrect because it uses AWS Budgets, which is a feature of AWS Cost Management that helps to plan and track costs and usage. However, AWS Budgets does not support usage type of EC2 running hours as a budget type. The only supported usage types are Amazon S3 storage, Amazon EC2 RI utilization, and Amazon EC2 RI coverage. Moreover, AWS Budgets does not support setting the budget amount based on the reported average usage from AWS Cost Explorer.The budget amount has to be a fixed or variable value34

C. This solution is incorrect because it uses AWS Trusted Advisor, which is a feature of AWS Premium Support that provides recommendations to follow best practices for cost optimization, security, performance, and fault tolerance. However, AWS Trusted Advisor does not support configuring custom alerts based on EC2 usage or average usage for the last 30 days.The only supported alerts are based on predefined checks and thresholds that are applied to all services and resources in the account56

D. This solution is incorrect because it uses Amazon Detective, which is a service that helps to analyze and visualize security data to investigate potential security issues. However, Amazon Detective does not support configuring EC2 usage anomaly alerts basedon average usage for the last 30 days.The only supported alerts are based on GuardDuty findings and other security-related events that are detected by machine learning models78

https://docs.aws.amazon.com/cur/latest/userguide/billing-cur-limits.html

The requirement is to allow each OU (which contains multiple accounts) to view a cost breakdown across its accounts. In an AWS Organizations setup with consolidated billing, the management account is the central place where organization-level cost and usage reporting is configured and aggregated. The Cost and Usage Report is designed to produce the most detailed cost and usage dataset, and it can include charges for linked (member) accounts. A single CUR created from the management account can include all accounts in the organization, and then filtering can be applied to show cost breakdowns per OU or per team.

Once the CUR is delivered to Amazon S3, analytics tools such as Amazon Athena and Amazon QuickSight can be used to create dashboards. Teams can be provided access to the dataset or curated views and can filter by linked account, tags, and other dimensions. With appropriate cost allocation tags and organizational mapping (for example, account-to-OU mapping maintained in reporting logic), each OU can see its consolidated view.

Option B meets the requirements because it creates one CUR centrally from the management account and uses QuickSight for visualization. This approach is scalable for hundreds of accounts and avoids duplicating CUR configuration in each member account.

Option A is incorrect because AWS Resource Access Manager is not used to create CURs per OU. CUR is not an OU-scoped resource created via RAM.

Option C is not operationally efficient because it requires creating and managing CURs in each member account, producing fragmented datasets and significantly increasing overhead at hundreds of accounts. It also makes it harder to generate a single view per OU across accounts.

Option D is incorrect because Systems Manager does not create CURs, and OpsCenter dashboards are not the standard tool for cost and usage reporting.

Therefore, a centrally created CUR in the management account with QuickSight visualization is the correct solution.

D is correct because AWS Private CA supports resource sharing through AWS RAM, which allows you to share the CA across accounts in your AWS Organization securely. It ensures the CA private key remains secure and is never exported.

A is invalid because you cannot export a CA’s private key, and importing/exporting CAs this way is unsupported.

B is incorrect — IAM policies alone are not sufficient to share Private CAs across accounts.

C is not applicable because resource-based delegation policies do not apply to AWS Private CA.

Option C is the correct and most efficient solution, aligning with AWS best practices for secure and private connectivity:

Create VPC Endpoints for Systems Manager and Amazon S3:

Systems Manager VPC Endpoints: By creating interface VPC endpoints for Systems Manager (com.amazonaws.region.ssm, com.amazonaws.region.ec2messages, and com.amazonaws.region.ssmmessages), the EC2 instances can communicate with Systems Manager services without requiring internet access. This setup ensures that patching operations can be conducted securely within the AWS network.

Amazon S3 VPC Endpoint: A gateway VPC endpoint for Amazon S3 (com.amazonaws.region.s3) allows EC2 instances to access S3 buckets privately. This is essential for accessing application data stored in S3 without traversing the public internet.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html#apig-request-throttling-account-level-limits

Step B is necessary so that the user in the destination account has the necessary permissions to access the source bucket and list its contents, read its objects. Step D is needed so that the user in the destination account has the necessary permissions to access the destination bucket and list contents, put objects, and set object ACLs Step F is necessary because the aws s3 sync command needs to be run using the IAM user credentials from the destination account, so that the objects will have the appropriate permissions for the user in the destination account once they are copied.

https://docs.aws.amazon.com/vpc/latest/userguide/sharing-managed-prefix-lists.html

Gateway VPC Endpoint for S3:

Create a gateway VPC endpoint for Amazon S3 in your VPC. This allows instances in your VPC to communicate with Amazon S3 without going through the internet, reducing data transfer costs and improving security.

Add Spot Instances to ECS Cluster:

Add another ECS capacity provider that uses an Auto Scaling group of Spot Instances. Configure this new capacity provider to share the load with the existing On-Demand Instances by setting an appropriate weight in the capacity provider strategy. Spot Instances offer significant cost savings compared to On-Demand Instances.

Configure Capacity Provider Strategy:

Adjust the ECS service's capacity provider strategy to utilize both On-Demand and Spot Instances effectively. This ensures a balanced distribution of tasks across both instance types, optimizing cost while maintaining availability.

By implementing a gateway VPC endpoint for S3 and incorporating Spot Instances into the ECS cluster, the company can significantly reduce operational costs without compromising on the availability or performance of the platform.

References

AWS Cost Optimization Blog on VPC Endpoints

AWS ECS Documentation on Capacity Providers

A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast-2) for SageMaker training and endpoint usage. This enablesautomatic quota increasesfor newly created accounts in the org.

B, C, and D misconfigure either region or quota type.

Set Up EventBridge Event Bus:

Step 1: Open the Amazon EventBridge console and create a custom event bus. This bus will be used to handle user deletion events.

Step 2: Name the event bus appropriately (e.g.,user-deletion-bus).

Post Events on User Deletion:

Step 1: Modify the central user service to post an event to the custom EventBridge event bus whenever a user is deleted.

Step 2: Ensure the event includes relevant details such as the user ID and any other necessary metadata.

Create EventBridge Rules for Microservices:

Step 1: For each microservice that needs to delete user data, create a new rule in EventBridge that triggers on the user deletion event.

Step 2: Define the event pattern to match the user deletion event. This pattern should include the event details posted by the central user service.

Invoke Microservice Logic:

Step 1: Configure the EventBridge rule to invoke a target, such as an AWS Lambda function, which contains the logic to delete the user data from the microservice's data store.

Step 2: Each microservice should have its Lambda function or equivalent logic to handle the deletion of user data upon receiving the event.

Using Amazon EventBridge ensures a scalable, reliable, and decoupled approach to handle the deletion of user data across multiple microservices. This setup allows each microservice to independently process user deletion events without direct dependencies on other services.

References

AWS EventBridge Documentation

DynamoDB Streams and AWS Lambda Triggers

Implementing the Transactional Outbox Pattern with EventBridge Pipes​(AWS Documentation)​​(Amazon Web Services, Inc.)​​(Amazon Web Services, Inc.)​​(AWS Documentation)​​(AWS Cloud Community)​.

A is correct because:

DynamoDB global tablesallow for multi-Region, active-active usage.

RDS MySQL read replicain another Region supports read workloads and can bepromotedduring disaster to act as a standalone DB.

B is incorrect: DAX is a cache, not a replication mechanism.

C is wrong because Multi-AZ doesn’t span Regions.

D is more manual and error-prone.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.htmlhttps://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html

This option allows the solutions architect to use an identity policy that grants the user readand write access to their own personal folder on the S3 bucket1. By adding a condition that specifies that the S3 paths must be prefixed with ${aws:username}, the solutions architect can ensure that each scientist can only access their own folder2. By applying the policy on the scientists’ IAM user group, the solutions architect can simplify the management of permissions for all the scientists3. By configuring a trail with AWS CloudTrail to capture all object-level events in the S3 bucket, the solutions architect can record and store information about every action performed on the S3 objects4. By storing the trail output in another S3 bucket, thesolutions architect can secure and archive the log files5. By using Amazon Athena to query the logs and generate reports, the solutions architect can use a serverless interactive query service that can analyze data in S3 using standard SQL.

Identity-based policies

Policy variables

IAM groups

Object-level logging

Creating a trail that applies to all regions

[What is Amazon Athena?]

To ensure that game assets are fetched from the closest region and have a fallback option in case the assets become unavailable in the closest region, a solution architect should leverage Amazon CloudFront, a global content delivery network (CDN) service. By creating an Amazon CloudFront distribution and setting up origin groups, the architect can specify multiple origins (in this case, the Application Load Balancers in each region). The primary origin will serve content under normal circumstances, and if the content becomes unavailable, CloudFront will automatically switch to the secondary origin. This approach not only meets the requirement of regional proximity and redundancy but also optimizes latency and enhances the gaming experience by serving assets from the nearest geographical location to the end-user.

AWS Documentation on Amazon CloudFront and origin groups provides detailed instructions on setting up distributions with multiple origins for high availability and performance optimization. Additionally, AWS whitepapers and best practices on content delivery and global applications offer insights into effectively utilizing CloudFront and other AWS services to achieve low latency and high availability.

A: Use dynamic IAM policies with {aws:PrincipalTag/userName} to enforceprefix-level access control— i.e., bucket/userA/*, bucket/userB/*.

C: Enable CloudTraildata eventsto capture object-level access andquery them withAthena. This is the AWS-recommended way to audit per-user object access.

Incorrect:

B doesn't provide user isolation.

D only capturesmanagement events, not object-level data access.

E is legacy, inefficient, and not structured for per-user auditing.

They all mention using spot instances and EKS based on EC2. A spot instance is not appropriate for a production server and the company is developing new application designed for AWS Fargate, which means we must plan the future cost improvement including AWS Fargate. https://aws.amazon.com/savingsplans/compute-pricing/

The combination of changes that will meet the requirement with the least operational overhead are:

A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint.Implement a Route 53 multivalue answer routing policy.

B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.

C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region’s replicated secret, select the appropriate KMS key.

These changes will enable the company to have an active-active configuration for its API across multiple Regions, while minimizing the complexity and cost of managing the secrets and keys.

A. This change will allow the company to use Route 53 to distribute traffic across multiple Regional API endpoints, based on the availability and latency of each endpoint.This will improve the performance and availability of the API for global customers12

B. This change will allow the company to use KMS multi-Region keys, which are KMS keys in different Regions that can be used interchangeably.This will simplify the encryption and decryption of secrets across Regions, as the same key material and key ID can be used in any Region34

C. This change will allow the company to use Secrets Manager replication, which replicates the encrypted secret data and metadata across the specified Regions.This will ensure that the secrets are consistent and accessible in any Region, andthat any update made to the primary secret will be propagated to the replica secrets automatically56

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

This option uses AWS DataSync to replicate the on-premises images to the EFS file system over the Direct Connect connection. AWS DataSync is a service that automates and accelerates data transfer between on-premises storage systems and AWS storage services. It can transfer data to and from Amazon EFS, Amazon FSx for Windows File Server, and Amazon S3. To use AWS DataSync, the company needs to deploy an AWS DataSync agent to an on-premises server that has access to the NFS file system. The agent connects to the AWS DataSync service endpoint in the AWS Region where the EFS file system is located. The company can use an AWS PrivateLink interface endpoint to connect to the service endpoint securely and privately over the Direct Connect connection. The company can then create a task in AWS DataSync that specifies the source location (the NFS file system), the destination location (the EFS file system), and the options for the data transfer (such as schedule, bandwidth limit, and verification). AWS DataSync will then perform the data transfer efficiently and securely, using encryption in transit and at rest.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

The cost of EFS backup cold storage is $0.01 per GB-month, whereas the cost of EFS backup warm storage is $0.05 per GB-month1. Therefore, moving the backups to cold storage as soon as possible will reduce the storage cost. However, cold storage backupsmust be retained for a minimum of 90 days2, otherwise they incur a pro-rated charge equal to the storage charge for the remaining days1. Therefore, setting the backup retention period to 30 days will incur a penalty of 60 days of cold storage cost for each backup deleted. This penalty will still be lower than keeping the backups in warm storage for 7 days and then in cold storage for 83 days, which is the current configuration. Therefore, option A is the most cost-effective solution.

This option allows the solution to decouple the API from the Lambda function and use EventBridge as an event-driven service that can handle failures gracefully1. By using two event buses, one for normal events and one for failed events, the solution can ensure that no data is lost and that data can be processed later if failures occur2. The primary event bus receives the data from the weather stations through the API integration and triggers the Lambda function through a rule. The Lambda function can then call the third-party service for data pre-processing. If the third-party service fails, the Lambda function can send an error response to EventBridge, which will route it to the secondary event bus as a failure destination3. The secondary event bus can then store the failed events in another service, such as Amazon S3 or Amazon SQS, for troubleshooting or reprocessing.

Using Amazon EventBridge with AWS Lambda

Using multiple event buses

Using failure destinations

[Using dead-letter queues]

==================

Amazon S3 Intelligent-Tiering is a storage class that automatically moves objects between two access tiers based on changing access patterns. Objects that are accessed frequently are stored in the frequent access tier and objects that are accessed infrequently are stored in the infrequent access tier. This allows for cost optimization without requiring manual intervention. This makes it an ideal solution for the scenario described, as it can automatically move objects that are infrequently accessed after 30 days to a lower-cost storage tier while still maintaining millisecond retrieval availability.

The company should purchase the same Reserved Instances for an additional 3-year term with All Upfront payment. The company should purchase a 3-year Compute Savings Plan with All Upfront payment in the management account to cover any additional compute costs. This solution will provide the company with the most cost savings because Reserved Instances and Savings Plans are both pricing models that offer significant discounts compared to On-Demand pricing. Reserved Instances are commitments to use a specific instance type and size in a single Region for a one- or three-year term. You can choose between three payment options: No Upfront, Partial Upfront, or All Upfront. The more you pay upfront, the greater the discount1. Savings Plans are flexible pricing models that offer low prices on EC2 instances, Fargate, and Lambda usage, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a one- or three-year term. You can choose between two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans apply to any EC2 instance regardless of Region, instance family, operating system, or tenancy, including those that are part of EMR, ECS, or EKS clusters, or launched by Fargate or Lambda. EC2 Instance Savings Plans apply to a specific instance family within a Region and provide the most savings2. By purchasing the same Reserved Instances for an additional 3-year term with All Upfront payment, the company can lock in the lowest possible price for its EC2 instances that run continuously for 3 years. By purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account, the company can benefit from additional discounts on any other compute usage across its member accounts.

The other options are not correct because:

Purchasing a 1-year Compute Savings Plan with No Upfront payment in each member account would not provide as much cost savings as purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account. A 1-year term offers lower discounts than a 3-year term, and a No Upfront payment option offers lower discounts than an All Upfront payment option. Also, purchasing a Savings Plan in each member account would not allow the company to share the benefits of unused Savings Plan discounts across its organization.

Purchasing a 3-year EC2 Instance Savings Plan with No Upfront payment in the management account to cover EC2 costs in each AWS Region would not provide as much cost savings as purchasing Reserved Instances for an additional 3-year term with All Upfront payment. An EC2 Instance Savings Plan offers lower discounts than Reserved Instances for the same instance family and Region. Also, a No Upfront payment option offers lower discounts than an All Upfront payment option.

Purchasing a 3-year EC2 Instance Savings Plan with All Upfront payment in each member account would not provide as much flexibility or cost savings as purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account. An EC2 Instance Savings Plan applies only to a specific instance family within a Region and does not cover Fargate or Lambda usage. Also, purchasing aSavings Plan in each member account would not allow the company to share the benefits of unused Savings Plan discounts across its organization.

https://aws.amazon.com/getting-started/hands-on/move-to-managed/migrate-mongodb-to-documentdb/

A is the correct answer because it uses Amazon DocumentDB (with MongoDB compatibility) as a key-value database that can scale based on demand and supports encryption in transit and at rest. Amazon DocumentDB is a fully managed document database service that is designed to be compatible with the MongoDB API. It is a NoSQL database that is optimized for storing, indexing, and querying JSON data. Amazon DocumentDB supports encryption in transit using TLS and encryption at rest using AWS Key Management Service (AWS KMS). Amazon DocumentDB also supports provisioned IOPS volumes that can scale up to 64 TiB of storage and 256,000 IOPS per cluster. To connect to Amazon DocumentDB, you can use the instance endpoint, which connects to a specific instance in the cluster, or the cluster endpoint, which connects to the primary instance or one of the replicas in the cluster. Using the cluster endpoint is recommended for high availability and load balancing purposes. References:

https://docs.aws.amazon.com/documentdb/latest/developerguide/what-is.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/limits.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/connecting.html

https://aws.amazon.com/migration-evaluator/features/

Option A is incorrect because creating a Direct Connect gateway in the central account and creating an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway does not enable active-passive failover between the regions. A Direct Connect gateway is a globally available resource that enables you to connect your AWS Direct Connect connection over a private virtual interface (VIF) to one or more VPCs in any AWS Region. A virtual private gateway is the VPN concentrator on the Amazon side of a VPN connection. You can associate a Direct Connect gateway with either a transit gateway or a virtual private gateway. However, a Direct Connect gateway does not provide any load balancing or failover capabilities by itself1

Option B is correct because creating a Direct Connect gateway and a transit gateway in the central network account and attaching the transit gateway to the Direct Connect gateway by using a transit VIF meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. A transit VIF is a type of private VIF that you can use to connect your AWS Direct Connect connection to a transit gateway or a Direct Connect gateway. A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. By using a transit VIF, you can route traffic between your on-premises network and multiple VPCs across different AWS accounts and Regions through a single connection23

Option C is incorrect because provisioning an internet gateway, attaching the internet gateway to subnets, and allowing internet traffic through the gateway does not meet the requirement of routing cloud resources to the internet through its on-premises data center. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. By using an internet gateway, you are routing cloud resources directly to the internet, not through your on-premises data center.

Option D is correct because sharing the transit gateway with other accounts and attaching VPCs to the transit gateway meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. You can share your transit gateway with other AWS accounts within the same organization by using AWS Resource Access Manager (AWS RAM). This allows you to centrally manage connectivity from multiple accounts without having to create individual peering connections between VPCs or duplicate network appliances in each account. You can attach VPCs from different accounts and Regions to your shared transit gateway and enable routing between them.

Option E is incorrect because provisioning VPC peering as necessary does not meet the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within asingle Region. However, VPC peering does not allow you to route traffic from your on-premises network to your VPCs or between multiple Regions. You would need to create multiple VPN connections or Direct Connect connections for each VPC peering connection, which increases operational complexity and costs.

Option F is correct because provisioning only private subnets, opening the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center meets the requirement of routing cloud resources to the internet through its on-premises data center. A private subnet is a subnet that’s associated with a route table that has no route to an internet gateway. Instances in a private subnet can communicate with other instances in the same VPC but cannot access resources on the internet directly. To enable outbound internet access from instances in private subnets, you can use NAT devices such as NAT gateways or NAT instances that are deployed in public subnets. A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway. Alternatively, you can use your on-premises data center as a NAT device by configuring routes on your transit gateway and customer gateway that direct outbound internet traffic from your private subnets through your VPN connection or Direct Connect connection. This way, you can route cloud resources to the internet through your on-premises data center instead of using an internet gateway.

CodeCommit may use S3 on the back end (and it also uses DynamoDB on the back end) but I don't think they're stored in buckets that you can see or point Macie to. In fact, there are even solutions out there describing how to copy your repo from CodeCommit into S3 to back it up:https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-event-driven-backups-from-codecommit-to-amazon-s3-using-codebuild-and-cloudwatch-events.html

https://repost.aws/knowledge-center/kinesis-readprovisionedthroughputexceeded

Follow Data Streams best practices

To mitigate ReadProvisionedThroughputExceeded exceptions, apply these best practices:

• Reshard your stream to increase the number of shards in the stream.

• Use consumers with enhanced fan-out. For more information about enhanced fan-out, see Developing custom consumers with dedicated throughput (enhanced fan-out).

• Use an error retry and exponential backoff mechanism in the consumer logic if ReadProvisionedThroughputExceeded exceptions are encountered. For consumer applications that use an AWS SDK, the requests are retried by default.

https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html

https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/

AWS Organizations allows the management of multiple AWS accounts as a single entity and AWS CloudFormation StackSets allows creating, updating, and deleting stacks across multiple accounts and regions in an organization. This solution allows creating a single CloudFormation template that can be deployed across multiple accounts and regions, and also allows for the management of access and permissions for the different accounts through the use of IAM roles and policies in the management account.

Create VPC Endpoint Service:

In the shared VPC, create a VPC endpoint service using the Network Load Balancer (NLB) that fronts the centralized application.

Enable the option to require endpoint acceptance to control which business unit VPCs can connect to the service.

Set Up VPC Endpoints in Business Unit VPCs:

In each business unit VPC, create a VPC endpoint that points to the VPC endpoint service created in the shared VPC.

Use the service name of the endpoint service created in the shared VPC for configuration.

Accept Endpoint Requests:

From the VPC endpoint service console in the shared VPC, review and accept endpoint connection requests from authorized business unit VPCs. This ensures that only authorized VPCs can access the centralized application.

Configure Routing:

Update the route tables in each business unit VPC to direct traffic destined for the centralized application through the VPC endpoint.

This solution ensures secure, private connectivity between the business unit VPCs and the shared VPC, even if there are overlapping CIDR blocks. It leverages AWS PrivateLink and VPC endpoints to provide scalable and controlled access​(AWS Documentation)​​(Amazon Web Services, Inc.)​.

https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLambdaFunctionRecommendations.html

https://docs.aws.amazon.com/firehose/latest/dev/creating-the-stream-to-splunk.html

This option allows the solutions architect to use a DeletionPolicy attribute to specify how AWS CloudFormation handles the deletion of an S3 bucket when the stack is deleted1. By setting the value of Delete, the solutions architect can instruct CloudFormation to delete the bucket and all of itscontents1. This option does not require any major changes to the application’s architecture or any additional resources.

Deletion policies

Option A is correct because placing the EC2 instances behind an Application Load Balancer (ALB) and associating an SSL certificate from AWS Certificate Manager (ACM) with the ALB enables encryption in transit between the client and the ALB. Exporting the SSL certificate and installing it on each EC2 instance enables encryption in transit between the ALB and the web server. Configuring the ALB to listen on port 443 and to forward traffic to port 443 on the instances ensures that HTTPS is used for both connections. This solution achieves end-to-end encryption in transit for the web application12

Installing AWS Outposts for the applications that have data regulatory requirements or requirements for latency of single-digit milliseconds will provide a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises1. AWS Outposts allows customers to run some AWS services locally and connect to a broad range of services available in the local AWS Region1. Using AWS Snowball Edge Compute Optimized devices to host the workloads in the factory sites will provide local compute and storage resources for locations with limited network infrastructure2. AWS Snowball Edge devices can run Amazon EC2 instances and AWS Lambda functions locally and sync data with AWS when network connectivity is available2.

The company has many S3 buckets and many identities across multiple AWS accounts. It currently uses S3 bucket policies for granular authorization. As requirements grow, the bucket policies have become very large and have hit the maximum size limits. The company needs a way to express granular, identity-based access to S3 resources without relying on increasingly complex bucket policies.

AWS provides S3 Access Grants to centrally manage S3 data access based on identities. S3 Access Grants integrate with IAM Identity Center and external identity providers such as Microsoft Entra ID (formerly Azure AD). With S3 Access Grants, you define grants that associate specific identities or groups (from IAM Identity Center) with permissions on specific S3 buckets, prefixes, or objects. Access Grants maintain a mapping between identities and S3 resources without requiring large, per-bucket policies.

Option A describes exactly this approach. You create an S3 Access Grant configuration associated with the IAM Identity Center instance that is already integrated with the company’s IdP. You then define S3 Access Grants for the various user groups according to business requirements, specifying the appropriate S3 buckets and prefixes. When users access S3 through AWS tools that support S3 Access Grants, temporary credentials are issued that reflect the grants. This centralizes authorization management, reduces the size and complexity of S3 bucket policies, and minimizes operational overhead because you manage permissions per identity group rather than constantly editing long bucket policies.

Option B uses S3 access points and Object Lambda Access Points with a Lambda function for data filtering. This is more suitable for content transformation or redaction rather than primary authorization management. It adds operational complexity by requiring custom Lambda code and Object Lambda configuration, and it does not directly solve the problem of large bucket policies for fine-grained permissions.

Option C uses per-bucket S3 access points with attached policies. While access points can simplify some aspects of access control and allow per-application policies, using many access points with detailed policies can still lead to significant policy complexity. It also does not take advantage of the existing IAM Identity Center integration and does not centrally align permissions with identity groups.

Option D uses AWS Organizations service control policies (SCPs). SCPs are intended to define high-level guardrails and maximum permissions at the account or organizational unit level, not detailed, per-bucket or per-prefix access control for individual users or groups. Using SCPs to express granular S3 bucket permissions would be complex, hard to maintain, and not aligned with the purpose of SCPs.

Therefore, using S3 Access Grants integrated with IAM Identity Center (option A) provides a centralized, identity-aware, low-overhead way to manage granular S3 access without hitting S3 bucket policy size limits.

C: Multipart uploads can leave incomplete parts behind, which incur storage costs. Expiring them after 7 days minimizes waste and saves cost.

E: Since objects are infrequently accessed after 180 days, transitioning toS3 Standard-IAis cost-effective, especially for large files >128 KB (your 100 MB+ files qualify).

Ais for shifting download cost, not reducing your S3 storage expenses.

Bhelps with upload speed butincreases cost.

Dis too aggressive; Glacier is not suited for access patterns within the first few days.

The best solution for this problem is to update the visibility timeout for the SQS queue to 3 hours. This is because when the visibility timeout is set to 1 hour, it means that if the EC2 instance doesn't process the message within an hour, it will be moved to the dead-letter queue. By increasing the visibility timeout to 3 hours, this should give the EC2 instance enough time to process the message before it gets moved to the dead-letter queue. Additionally, configuring scale-in protection for the EC2 instances during processing will help to ensure that the instances are not terminated while the messages are being processed.

AWS Elastic Disaster Recovery (AWS DRS) is a service that minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery1. Users can set up AWS DRS on their source servers to initiate secure data replication to a staging area subnet in their AWS account, in the AWS Region they select. Users can then launch recovery instances on AWS within minutes, using the most up-to-date server state or a previous point in time.

To configure a cloud backup of the application with AWS DRS, users need to create a VPC that has at least two public subnets, a virtual private gateway, and an internet gateway. AVPC is a logically isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that they define2. A public subnet is a subnet that has a route to an internet gateway3. A virtualprivate gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection4. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the internet. Users need to create at least two public subnets for redundancy and high availability. Users need to create a virtual private gateway and attach it to the VPC to enable VPN connectivity between the on-premises network and the target AWS network. Users need to create an internet gateway and attach it to the VPC to enable internet access for the replication servers.

To ensure that replication traffic does not travel through the public internet, users need to create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network. AWS Direct Connect is a service that establishes a dedicated network connection from an on-premises network to one or more VPCs. A Direct Connect gateway is a globally available resource that allows users to connect multiple VPCs across different Regions to their on-premises networks using one or more Direct Connect connections. Users need to create an AWS Direct Connect connection between their on-premises network and an AWS Region. Users need to create a Direct Connect gateway and associate it with their VPC and their Direct Connect connection.

To ensure that the application is not accessible from the internet, users need to select the option to use private IP addresses for data replication during configuration of the replication servers. This option configures the replication servers with private IP addresses only, without assigning any public IP addresses or Elastic IP addresses. This way, the replication servers can only communicate with other resources within the VPC or through VPN connections.

Option A is incorrect because creating a VPC that has at least two private subnets, two NAT gateways, and a virtual private gateway is not necessary or cost-effective. A private subnet is a subnet that does not have a route to an internet gateway3. A NAT gateway is a highly available, managed Network Address Translation (NAT) service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances. Users do not need to createprivate subnets or NAT gateways for this use case, as they can use public subnets with private IP addresses for data replication.

Option C is incorrect because creating an AWS Site-to-Site VPN connection between the on-premises network and the target AWS network will not ensure that replication traffic does not travel through the public internet. A Site-to-Site VPN connection consists of two VPN tunnels between an on-premises customer gateway device and a virtual private gateway in your VPC4. The VPN tunnels are encrypted using IPSec protocols, but they still use public IP addresses for communication. Users need to use AWS Direct Connect instead of Site-to-Site VPN for this use case.

Option F is incorrect because selecting the option to ensure that the Recovery instance’s private IP address matches the source server’s private IP address during configuration of the launch settings for the target servers will not ensure that the application is not accessible from the internet. This option configures the Recovery instance with an identical private IP address as its source server when launched in drills or recovery mode. However, this option does not prevent assigning public IP addresses or Elastic IP addresses to the Recovery instance. Users need to select the option to use private IP addresses for data replication instead.

By reducing the number of data nodes in the cluster to 2 and adding UltraWarm nodes to handle the expected capacity, the company can reduce the cost of running the cluster. Additionally, configuring the indexes to transition to UltraWarm when OpenSearch Service ingests the data will ensure that the data is stored in the most cost-effective manner. Finally, transitioning the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy will ensure that the data is retained for compliance purposes, while also reducing the ongoing costs.

The current architecture uses a fleet of small EC2 instances that poll SQS for URLs and write results to EFS. Because URLs arrive only occasionally and each crawl takes 10 seconds or less, EC2 instances are often idle waiting for messages. This leads to unnecessary compute and storage costs.

This workload is naturally event-driven: each URL in the SQS queue triggers a short-lived crawl operation. AWS Lambda is well suited for such event-driven, short-duration tasks. Lambda integrates natively with Amazon SQS as an event source, which allows Lambda to poll the SQS queue automatically and invoke functions when messages arrive, scaling the concurrency up and down as needed. When there are no messages, there are no Lambda invocations and no compute charges, eliminating the cost of idle EC2 instances.

For storage of crawl results, Amazon S3 is a highly durable, cost-effective object store. The current use of an EFS file system mounted on all instances is no longer necessary if each Lambda invocation can write the output directly to S3 as objects (for example, CSV files). S3 charges only for the storage used and requests, and does not require continuously running file system infrastructure.

Option B replaces the idle fleet of EC2 instances with a Lambda function that reads from SQS. This aligns compute usage with actual work and takes advantage of serverless scaling and pricing.

Option E modifies the web-crawling process to store results in Amazon S3 instead of EFS, removing the need to maintain an EFS file system and its associated costs.

Option A increases instance size to m5.8xlarge, which greatly increases capacity and cost. Reducing the number of instances by 50% does not offset the large increase in instance size; it does not address idle capacity and likely increases overall cost.

Option C uses Amazon Neptune, which is a managed graph database service. It is not needed for storing simple CSV output; it is more complex and more expensive than S3 for this use case.

Option D uses Aurora Serverless MySQL. While Aurora Serverless can automatically scale, using a relational database to store simple crawl outputs adds unnecessary cost and operational complexity compared to S3 objects.

Therefore, moving the crawling logic to Lambda triggered by SQS (option B) and writing results directly to Amazon S3 (option E) meets the requirements in the most cost-effective way.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatch.html Elastic Beanstalk automatically uses Amazon CloudWatch to help you monitor your application and environment status. You can navigate to the Amazon CloudWatch console to see your dashboard and get an overview of all of your resources as well as your alarms. You can also choose to view more metrics or add custom metrics.

•Use Amazon S3 for web hosting with AWS AppSync for database API services. Use Amazon Simple Queue Service (Amazon SQS) for order queuing. Use AWS Lambda for business logic with an Amazon SQS dead-letter queue for retaining failed orders.

This solution will allow you to:

•Host a static website on Amazon S3 without provisioning or managing servers1.

•Use AWS AppSync to create a scalable GraphQL API that connects to your database and other data sources1.

•Use Amazon SQS to decouple and scale your order processing microservices1.

•Use AWS Lambda to run code for your business logic without provisioning or managing servers1.

•Use an Amazon SQS dead-letter queue to retain messages that can’t be processed by your Lambda function1.

To effectively gather information about network dependencies between VMs in an on-premises data center for migration to AWS, it's crucial to use tools that can capture detailed application and server dependencies. The AWS Application Discovery Service is designed for this purpose, particularly when migrating from environments like Linux-based VMware VMs. By installing the AWS Application Discovery Agent on the on-premises servers, the service can collect necessary data such as host IP addresses, hostnames, and network connection information. This data is crucial for creating a comprehensive network diagram that outlines the interactions and dependencies between various components of the on-premises infrastructure. The integration with AWS Migration Hub enhances this process by allowing the visualization of these dependencies in a network diagram format, aiding in the planning and execution of the migration process. This approach ensures a thorough understanding of the on-premises environment, which is essential for a successful migration to AWS.

The AWS Application Discovery Service can help plan migration projects by collecting data about on-premises servers, such as configuration, performance, and network connections. The data collection agent is a lightweight software that can be installed on each server to gather this information. This option is more cost-effective than agentless discovery, which requires deploying a virtual appliance in the VMware environment, or using CloudWatch agent, which incurs additional charges for CloudWatch Logs. Scanning the servers over a VPN is not a valid option for AWS Application Discovery Service. References: What is AWS Application Discovery Service?, Data collection methods

It can prevent the issue from happening again by monitoring the file system with the FreeStorageCapacity metric in Amazon CloudWatch and using Amazon EventBridge to invoke an AWS Lambda function to increase the capacity as required. This ensures that the file system always has enough free space to store user profiles and avoids reaching maximum capacity.

The company should create a second target group that is referenced by the ALB. The company should deploy the new logic to EC2 instances in this new target group. The company should update the ALB listener rule to use weighted target groups. The company should configure ALB target group stickiness. This solution will meet the requirements because weighted target groups are a feature that enables you to distribute traffic across multiple target groups using a single listener rule. You can specify a weight for each target group, which determines the percentage of requests that are routed to that target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests1. By creating a second target group and deploying the new logic to EC2 instances in this new target group, the company can have two versions of its business logic running in parallel. By updating the ALB listener rule to use weighted target groups,the company can control how much traffic is sent to each version. By configuring ALB target group stickiness, the company can ensure that a customer uses the same version of the business logic during the testing window. Target group stickiness is a feature that enables you to bind a user’s session to a specific target within a target group for the duration of the session2.

The other options are not correct because:

Creating a second ALB and deploying the new logic to a set of EC2 instances in a new Auto Scaling group would not be as cost-effective or simple as using weighted target groups. A second ALB would incur additional charges and require more configuration and management. Updating the Route 53 record to use weighted routing would not ensure that a customer uses the same version of the business logic during the testing window, as DNS caching could affect how requests are routed.

Creating a new launch configuration for the Auto Scaling group and replacing it on the Auto Scaling group would not allow for gradual traffic shifting between versions. A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. You can specify information such as the AMI ID, instance type, key pair, security groups, and block device mapping for your instances3. However, replacing the launch configuration on an Auto Scaling group would affect all instances in that group, not just 10% of customers.

Creating a second Auto Scaling group and changing the ALB routing algorithm to least outstanding requests (LOR) would not allow for controlled traffic shifting between versions. A second Auto Scaling group would require more configuration and management. The LOR routing algorithm is a feature that enables you to route traffic based on how quickly targets respond to requests. The load balancer selects a target from the target group with the fewest outstanding requests4. However, this algorithm does not take into account customer sessions or weights.

 The company should configure a cross-Region read replica for the RDS database in the new Region. The company should change the Route 53 record to latency-based routing to connect to the API Gateway API. This solution will meet the requirements because a cross-Region read replica is a feature that enables you to create a MariaDB, MySQL, Oracle, PostgreSQL, or SQL Server read replica in a different Region from the source DB instance. You can use cross-Region read replicas to improve availability and disaster recovery, scale out globally, or migrate an existing database to a new Region1. By creating a cross-Region read replica for the RDS database in the new Region, the company can have a standby copy of its primary database that can serve read-only traffic from users in Europe. A latency-based routing policy is a feature that enables you to route traffic based on the latency between your users and your resources. You can use latency-based routing to route traffic to the resource that provides the best latency2. By changing the Route 53 record to latency-based routing, the company can minimize latency for users who download reports by connecting them to the API Gateway API in the Region that provides the best response time.

The other options are not correct because:

Using AWS Database Migration Service (AWS DMS) to replicate the primary database in the original Region to the database in the new Region would not be as cost-effective or simple as using a cross-Region read replica. AWS DMS is a service that enables you to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to perform one-time migrations or continuous data replication with high availability and consolidate databases intoa petabyte-scale data warehouse3. However, AWS DMS requires more configuration and management than creating a cross-Region read replica, which is fully managed by Amazon RDS. AWS DMS also incurs additional charges for replication instances and tasks.

Creating an Amazon API Gateway Data API service integration with Amazon Redshift would not help with disaster recovery or minimizing latency. The Data API is a feature that enables you to query your Amazon Redshift cluster using HTTP requests, without needing a persistent connection or a SQL client. It is useful forbuilding applications that interact with Amazon Redshift, but not for replicating or recovering data from an RDS database.

Creating an AWS Data Exchange datashare by connecting AWS Data Exchange to the Redshift cluster would not help with disaster recovery or minimizing latency. AWS Data Exchange is a service that makes it easy for AWS customers to exchange data in the cloud. You can use AWS Data Exchange to subscribe to a diverse selection of third-party data products or offer your own data products to other AWS customers. A datashare is a feature that enables you to share live and secure access to your Amazon Redshift data across your accounts or with third parties without copying or moving the underlying data. It is useful for sharing query results and views with other users, but not for replicating or recovering data from an RDS database.

https://aws.amazon.com/rds/aurora/global-database/

The use of provisioned concurrency ensures the web application’s Lambda functions have pre-initialized execution environments, removing cold start latency and maintaining performance during high-traffic periods.

Route 53 health checks and failover records automate DNS failover to the secondary Region, improving application availability and reliability.

The CloudWatch alarm is configured to monitor the Lambda ConcurrentExecutions metric and send an SNS notification if concurrency usage nears the limit, enabling quick operational response.

This approach minimizes manual management, ensuring reliability and performance during peak traffic while meeting best practices for AWS Lambda and Route 53 failover.

It is the fastest when it comes to rollback and deploying changes every hour

Migrate the database to Amazon Aurora MySQL. - Create an Amazon Aurora Replica. - Use RDS Proxy in front of the database. - These options are correct because they address the requirement of reducing the failover time to less than 20 seconds. Migrating to Amazon Aurora MySQL and creating an Aurora replica can reduce the failover time to less than 20 seconds. Aurora has a built-in, fault-tolerant storage system that can automatically detect and repair failures. Additionally, Aurora has a feature called "Aurora Global Database" which allows you to create read-only replicas across multiple AWS regions which can further help to reduce the failover time. Creating an Aurora replica can also help to reduce the failover time as it can take over as the primary DB instance in case of a failure. Using RDS proxy can also help to reduce the failover time as it can route the queries to the healthy DB instance, it also helps to balance the load across multiple DB instances.

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

Creating an Amazon EventBridge rule that runs every business day in the evening to stop instances and another rule that runs every business day in the morning to start instances based on the tag will reduce costs with the least operational effort. This approach allows for instances to be stopped during non-business hours when they are not in use, reducing the costs associated with running them. It also allows for instances to be started again in the morning when the development and testing teams need to use them.

Configuring the Aurora MySQL DB cluster to publish slow query and error logs to AmazonCloudWatch Logs will allow the solutions architect to monitor and troubleshoot the database performance by identifying slow or problematic queries1. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Implementing the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for Java will allow the solutions architect to measure and map the end-to-end latency and performance of the web application3. X-Ray traces show how requests travel through the application components, such as web servers, load balancers, microservices, and databases4. X-Ray also provides features such as service maps, annotations, histograms, and error rates to analyze and optimize the application performance.

Installing and configuring an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs will allow the solutions architect to monitor and troubleshoot the web server performance by collecting and storing the Apache access and error logs. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Publishing Aurora MySQL logs to Amazon CloudWatch Logs

Working with log data in CloudWatch Logs

Instrumenting your application with the X-Ray SDK for Java

Tracing requests with AWS X-Ray

[Analyzing application performance with AWS X-Ray]

[Using CloudWatch Logs with your Apache web server]

Creating an internal ALB and configuring it as a PrivateLink endpoint service enables private connectivity between internal applications and the metadata API, ensuring that traffic does not traverse the public internet.

Internal ALB: Ensures traffic stays within the AWS network and is not exposed publicly.

PrivateLink endpoint service: Provides secure, private access to the ALB from the internal EC2 instances in other AWS accounts.

Traffic stays within the AWS global network, leveraging AWS security best practices and meeting the new policy requirements for no public internet exposure.This approach is secure, scalable, and minimizes management complexity compared to API Gateway solutions.

The best solution is to use AWS Database Migration Service (AWS DMS) to migrate thedata to AWS. AWS DMS is a web service that can migrate data from various sources to various targets, including MySQL databases. AWS DMS can perform full load and change data capture (CDC) migrations, which means that it can copy the existing data and also capture the ongoing changes to keep the source and target databases in sync. This minimizes the downtime during the migration process. AWS DMS also supports encryption at rest and in transit by using AWS Key Management Service (AWS KMS) and TLS, respectively. This ensures that the data is protected during the migration. AWS DMS can also leverage AWS Direct Connect to transfer the data over a private connection, avoiding the internet. This solution meets all the requirements of the company. References: AWS Database Migration Service Documentation, Migrating Data to Amazon RDS for MySQL or MariaDB, Using SSL to Encrypt a Connection to a DB Instance

This option allows the solutions architect to use Aurora global database to replicate data across multiple AWS Regions with low latency and high availability1. By launching the solution in the target Region, the solutions architect can ensure that the API Gateway, Lambda functions, and other resources are ready to serve traffic in case of a disaster in the source Region. By configuring the two Regional solutions to work in an active-passive configuration, the solutions architect can minimize costs and avoid data conflicts by having only one primary Region that accepts write operations and one secondary Region that serves as a standby2. The RTO and RPO requirements can be met by using Aurora global database, which supports sub-second failover times and near real-time replication1.

Working with Amazon Aurora global database

Active-passive failover

https://aws.amazon.com/blogs/storage/new-enhancements-for-moving-data-between-amazon-fsx-for-lustre-and-amazon-s3/

https://aws.amazon.com/premiumsupport/knowledge-center/dynamodb-global-table-stream-lambda/?nc1=h_ls

With AWS PrivateLink, the marketing team can create an endpoint service to share theirinternal application with other accounts securely using private IP addresses. They can grant permission to specific AWS accounts to connect to the service and create interface VPC endpoints in the other accounts to access the application by using private IP addresses. This option does not require any changes to the network of the other business units, and it does not require peering or NATing. This solution is both scalable and secure.

https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

This solution will allow the detection logic to be run as soon as the image is uploaded to the S3 bucket, before it is served to users via the CloudFront distribution. This way, the detection logic can quickly identify any corrupted images and prevent them from being served to users, minimizing latency between ingestion and serving.

Establish AWS Direct Connect Connections:

Step 1: Set up two AWS Direct Connect (DX) connections from the company headquarters to a chosen AWS Region. This provides a redundant and high-availability setup to ensure continuous connectivity.

Step 2: Ensure that these DX connections terminate in a specific Direct Connect location associated with the chosen AWS Region.

Use Company WAN:

Step 1: Configure the company's global WAN to route traffic through the established Direct Connect connections.

Step 2: This setup ensures that all traffic between the company's headquarters and AWS does not traverse the public internet, maintaining compliance with security requirements.

Set Up Direct Connect Gateway:

Step 1: Create a Direct Connect Gateway in the AWS Management Console. This gateway allows you to connect your Direct Connect connections to multiple VPCs across different AWS Regions.

Step 2: Associate the Direct Connect Gateway with the VPCs in the various Regions where your critical data is stored. This enables access to data in multiple Regions through a single Direct Connect connection.

By using Direct Connect and Direct Connect Gateway, the company can achieve secure, reliable, and cost-effective access to data stored across multiple AWS Regions without using the public internet, ensuring compliance with industry regulations.

References

AWS Direct Connect Documentation

Building a Scalable and Secure Multi-VPC AWS Network Infrastructure​(AWS Documentation)​​(AWS Documentation)​.

Comprehensive and Detailed Explanation From Exact Extract:

The requirements emphasize minimum downtime, rapid migration, managed database services, high availability, and support for stored procedures. For Oracle-to-AWS migrations with minimal downtime, AWS DMS can replicate ongoing changes from the source database to the target, which reduces cutover downtime. However, a critical constraint is that the database contains stored procedures. If the company moves to a different engine, it must convert schema objects and procedural code.

Option D is the only option that combines an online replication approach (AWS DMS) with a managed, highly available target database (Amazon Aurora PostgreSQL) and explicitly includes schema and stored procedure conversion with AWS SCT. This aligns with a fast migration approach: SCT prepares the converted schema and stored procedures, while DMS performs ongoing replication of data changes until cutover, minimizing downtime. Aurora PostgreSQL is a managed service and supports high availability through multi-AZ architecture and managed failover capabilities within a Region.

Option A is incorrect because Amazon RDS does not use an S3 bucket “as database storage” in the way described. RDS storage is managed by the RDS service, and S3 replication is not the mechanism used to provide database high availability. High availability for RDS is typically achieved through Multi-AZ configurations and/or cluster-based architectures depending on engine. The described storage approach is not a valid managed RDS architecture.

Option B does not meet the managed database requirement because it restores Oracle onto EC2 instances, which is self-managed. It also does not meet minimum downtime because it requires shutting down the on-premises database to avoid new transactions before restoring the backup. This is a longer outage model than an online migration with continuous replication.

Option C is not feasible and would require major redesign. DynamoDB is not a relational database replacement for Oracle stored procedures. DAX is a DynamoDB cache and cannot run stored procedures. The option also incorrectly suggests running stored procedures “in DAX.” This does not meet the “migrate as quickly as possible with minimum downtime” requirement due to extensive refactoring and redesign.

Therefore, migrating to Aurora PostgreSQL using AWS SCT for schema and stored procedure conversion, and AWS DMS for ongoing replication to minimize downtime, is the best fit.

"A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys."https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span...... The following caveats apply to AWS WAF rate-based rules: The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior five minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them. "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

Option B effectively addresses the disaster recovery requirements:

Creating a new backup vault in both the source and recovery accounts allows for organized and secure storage of backups.

Using a multi-Region customer managed KMS key ensures that the backups are encrypted at all times and can be decrypted in the recovery account, maintaining data security during cross-account and cross-Region transfers.

Redirecting backups to the new backup vault in the source account and configuring a key policy to allow access from the recovery account facilitates seamless and secure backup copying.

Scheduling a cross-account backup plan enables automated and regular copying of backups to the recovery account, ensuring that the DR plan is consistently maintained.

This approach ensures that backups are securely and efficiently replicated to the recovery account in a different Region, aligning with the company's DR requirements.

https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html

- Export an OVF Template

- Create / use an Amazon S3 bucket for storing the exported images. The bucket must be in the Region where you want to import your VMs.

- Create an IAM role named vmimport.

- You'll use AWS CLI to run the import commands.

https://aws.amazon.com/premiumsupport/knowledge-center/import-instances/

AWS Backup is a fully managed service that makes it easy to centralize and automate the creation, retention, and restoration of backups across AWS services. It provides a way to schedule automatic backups for CodeCommit repositories on an hourly basis. Additionally, it also supports cross-Region replication, which allows you to copy the backups to a second Region for disaster recovery.

By using AWS Backup, the company can set up an automatic and regular backup schedule for the CodeCommit repository, ensuring that the data is regularly backed up and stored in a second Region. This can provide a way to recover quickly from any disaster event that might occur.

Automating the process of increasing service quotas for Amazon EC2 instances in new AWS accounts with minimal operational overhead can be effectively achieved by using Amazon EventBridge, Amazon SNS, and AWS Lambda. An EventBridge rule can detect the creation of a new account and trigger an SNS topic, which in turn invokes a Lambda function. This function can then programmatically request a service quota increase for EC2 instances using the AWS Service Quotas API. This approach streamlines the process, reduces manual intervention, and ensures that new accounts are automatically configured with the desired service quotas.

Amazon EventBridge Documentation: Provides guidance on setting up event rules for detecting AWS account creation.

AWS Lambda Documentation: Details how to create and configure Lambda functions to perform automated tasks, such as requesting service quota increases.

AWS Service Quotas Documentation: Offers information on managing and requesting increases for AWS service quotas programmatically.

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable thecompany to centrally manage the creation of infrastructure services and control who can use them1. AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on AWS2. You can organize products into portfolios, which are collections of products along with configuration information3. You can share portfolios with other accounts in your organization using AWS Organizations4.

Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.

Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.

Creating a product from an existing CloudFormation template

What is AWS Service Catalog?

Working with portfolios

Sharing a portfolio with AWS Organizations

[Providing least privilege access for users]

[AWS managed policies for job functions]

[Importing shared portfolios]

[Enforcing tag policies]

[Working with TagOptions]

[Creating a TagOption Library]

[Applying TagOptions]

The correct answer is B.

B. This solution is the most cost-effective because it uses an EC2 Instance Savings Plan for the online gaming application instances, which provides the lowest prices and savings up to 72% compared to On-Demand prices. The EC2 Instance Savings Plan applies to any instance size within the same family and region, regardless of availability zone, operating system, or tenancy. The online gaming application instances run all year and must always be available, so they are not suitable for Spot Instances, which can be interrupted with a two-minute notice. This solution also uses Spot Instances for the analytics application, which can reduce the cost by up to 90% compared to On-Demand prices. The analytics application can be interrupted and resumed without issue, so it is a good fit for Spot Instances, which use spare EC2 capacity.This solution does not require AWSService Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts123

A. This solution is incorrect because it uses On-Demand Instances for the analytics application, which are more expensive than Spot Instances. The analytics application can be interrupted and resumed without issue, so it can benefit from the lower cost of Spot Instances, which use spare EC2 capacity.

C. This solution is incorrect because it uses Spot Instances for the online gaming application, which can be interrupted with a two-minute notice. The online gaming application instances must always be available, so they are not suitable for Spot Instances, which use spare EC2 capacity. This solution also uses AWS Service Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts.

D. This solution is incorrect because it uses On-Demand Instances for the online gaming application, which are more expensive than an EC2 Instance Savings Plan. The online gaming application instances run all year and must always be available, so they are suitable for an EC2 Instance Savings Plan, which provides the lowest prices and savings up to 72% compared to On-Demand prices. This solution also uses AWS Service Catalog, which is a service that helps to create and manage catalogs of IT services that are approved for use on AWS, but does not provide any discounts.

This solution meets the requirements by using Application Auto Scaling to automatically increase capacity during the peak period, which will handle the double the average load. And by purchasing reserved RCUs and WCUs to match the average load, it will minimize the cost of the table for the rest of the week when the load is close to the average.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html

Configuring AWS CloudTrail to log S3 data events will enable logging all activities for objects in the S3 bucket1. Data events are object-level API operations such as GetObject, DeleteObject, and PutObject1. Configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic will enable sending email notifications every time there is an attempt to delete data in the S3 bucket2. EventBridge can route events from S3 to SNS, which can send emails to subscribers2. Configuring a new S3 bucket to store the logs with an S3 Lifecycle policy will enable keeping the logs for 5 years in a cost-effective way3. A lifecycle policy can transition the logs to a cheaper storage class such as Glacier or delete them after a specified period of time3.

Option A provides a straightforward and efficient solution:

DynamoDB global tables automatically replicate data across multiple Regions, ensuring that the secondary Region has up-to-date data without the need for custom replication logic.

Creating a read replica of the RDS DB instance in the secondary Region allows the application to access customer data without relying on the primary Region.

Configuring the secondary application to use these resources ensures that it can function independently, fulfilling the disaster recovery requirements with minimal development effort.

This solution leverages AWS's managed services to provide a resilient and low-maintenance disaster recovery setup.

This option will complete the migration to AWS in the least amount of time because it uses two AWS services that are designed to simplify and accelerate data transfers and migrations. AWS Application Migration Service (AWS MGN) is a highly automated lift-and-shift solution that helps you migrate applications from any source infrastructure that runs supported operating systems to AWS1. It replicates your source servers into your AWS account and automatically converts and launches them on AWS so you can quickly benefit from the cloud1. You can use AWS MGN to migrate your on-premises VMware VMs to AWS by configuring a connection to your VMware cluster and creating a replication job for the VMs2. This process will minimize the time-intensive, error-prone manual processes of exporting and importing VM images.

AWS DataSync is an online data movement and discovery service that simplifies and accelerates data migrations to AWS and helps you move data quicklyand securelybetween on-premises storage, edge locations, other cloud providers, and AWS Storage3. It can transfer data between Network File System (NFS) shares, Server Message Block (SMB) shares,Hadoop Distributed File Systems (HDFS), self-managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic File System (Amazon EFS) file systems, Amazon FSx for Windows File Server file systems, Amazon FSx for Lustre file systems, Amazon FSx for OpenZFS file systems, and Amazon FSx for NetApp ONTAP file systems3. You can use AWS DataSync to copy your on-premises NFS server data to an Amazon EFS file system over the Direct Connect connection4. This process will leverage the high bandwidth and low latency of Direct Connect and the encryption and data integrity validation of DataSync.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied" This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

The company requires two different types of security analysis: vulnerability scanning for CVEs and code-level scanning for sensitive data exposure. Amazon Inspector provides both Lambda Standard Scanning and Lambda Code Scanning. These capabilities allow Inspector to examine Lambda deployment packages and Lambda layers for software vulnerabilities, and also perform static code analysis to detect insecure coding patterns. To meet the requirement that only certain Lambda functions receive deeper code scanning, Inspector allows enabling or disabling code scanning at the individual Lambda function level through the function's Monitor settings. Inspector additionally supports resource exclusion based on tagging, allowing administrators to prevent specific Lambda functions from participating in code scans. Tag-based exclusion satisfies the requirement to scan only a subset of Lambda functions.

Option B is required because enabling both Lambda standard scanning and Lambda code scanning activates the functionality necessary for CVE detection and code security analysis.

Option D is required because enabling scanning at the function level ensures that code scanning runs only for selected Lambda functions.

Option E is required because resource exclusion using tags allows the administrator to exclude non-target Lambda functions from code scanning automatically.

Options A and C do not satisfy the requirement because simply activating Amazon Inspector does not configure per-function scanning behavior, and GuardDuty Lambda Protection does not scan for CVEs or code vulnerabilities. Option F is not valid because Amazon Inspector does not perform scans directly against objects stored in Amazon S3; scanning occurs against the deployed Lambda function versions themselves.

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

https://aws.amazon.com/about-aws/whats-new/2016/04/transfer-files-into-amazon-s3-up-to-300-percent-faster/

Option A is correct because using an Elastic Load Balancer and an Auto Scaling group with a minimum capacity of two instances can improve the availability and scalability of the EC2 instances that host the application. The load balancer can distribute traffic across multiple instances and the Auto Scaling group can replace any unhealthy instances automatically1

Option D is correct because modifying the DB instance to create a Multi-AZ deployment that extends across two Availability Zones can improve the availability and durability of the RDS for MariaDB database. Multi-AZ deployments provide enhanceddata protection and minimize downtime by automatically failing over to astandby replica in another Availability Zone in case of a planned or unplanned outage4

Option F is correct because creating a replication group for the ElastiCache for Redis cluster and enabling Multi-AZ on the cluster can improve the availability and fault tolerance of the in-memory data store. A replication group consists of a primary node and up to five read-only replica nodes that are synchronized with the primary node using asynchronous replication. Multi-AZ allows automatic failover to one of the replicas if the primary node fails or becomes unreachable6

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html Clearly says we need following header for SSE-C x-amz-server-side​-encryption​-customer-algorithm Use this header to specify the encryption algorithm. The header value must be AES256.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

Comprehensive and Detailed in Depth Explanation:

C is correct because Amazon EFS offers a scalable, elastic file system that can be mounted on both on-premises servers (via AWS Direct Connect or VPN) and EC2 instances. This allows real-time access to shared content with no migration downtime.

D is correct because AWS Snowball Edge Storage Optimized devices are designed for transferring petabyte-scale data (up to 80 TB per device). It’s a best practice for moving 200 TB of archival data when speed and bandwidth are constraints.

The correct answer is B. This option uses IAM Identity Center to create permission sets that map to the existing IAM roles in each account. This way, the company can leverage the existing policies and roles that are already configured for the expected activities of each group of users in each account. The company also needs to create a customer managed policy that allows the group to assume the roles and attach it to thepermission set. This policy grants the necessary permissions for IAM Identity Center to assume the roles on behalf of the users. Finally, the company can assign user access to the AWS accounts in IAM Identity Center, which will automatically create IAM users and groups in each account based on the permission sets.

Option A is incorrect because it requires creating new policies in each account and giving them the same name. This is not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option C is incorrect because it requires creating new policies in each account and giving them unique names. This is also not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option D is incorrect because it requires adding the OU to the accounts configuration in IAM Identity Center. This is not supported by IAM Identity Center, which only allows adding individual accounts or all accounts in an organization.

https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

Comprehensive and Detailed Explanation From Exact Extract:

The workload is a real-time leaderboard that needs extremely low latency: microsecond reads and single-digit millisecond writes. It also needs rapid failover (accepting writes in less than a minute after a primary node failure) and minimal operational overhead. Additionally, the data must be durable enough to persist and be used later for analytics through a data pipeline.

Amazon MemoryDB for Redis is a Redis-compatible, durable, in-memory database service designed for microsecond read latency and low-millisecond write latency while also providing durability through a distributed transaction log. MemoryDB is designed to be a primary database rather than a cache and supports Multi-AZ configurations with fast failover. These characteristics match the leaderboard’s latency requirements and the availability requirement to resume writes quickly after a failure. Because MemoryDB is fully managed, it has less operational overhead than running Redis on EC2.

Option C is the best choice because MemoryDB provides Redis compatibility, in-memory performance, Multi-AZ high availability, and durability that supports data persistence for downstream processing. The durability aspect is especially important for feeding analytics pipelines, because the data is not only cached but is retained as a database record.

Option A is not the best choice because Amazon ElastiCache for Redis is primarily used as a cache. While it can be configured for replication and can achieve low latency, it is not positioned as a durable primary data store in the same way as MemoryDB for Redis. For requirements that explicitly combine extremely low latency with persistence and database-like durability, MemoryDB is the more appropriate managed service with lower operational overhead than building custom durability mechanisms.

Option B is not suitable because Amazon RDS for MySQL typically cannot meet microsecond read latency, and write latencies are usually higher than single-digit milliseconds for non-trivial workloads. Also, read replicas do not provide multi-writer capability and do not ensure sub-minute write availability in all failure scenarios without additional architecture and failover handling.

Option D has the highest operational overhead because it requires the company to operate Redis on EC2: instance management, patching, scaling, replication, failover automation, monitoring, and backup/restore processes. This does not meet the requirement for the least operational overhead compared to fully managed services.

Therefore, an Amazon MemoryDB cluster in Multi-AZ mode provides the required ultra-low latency, rapid failover for write availability, durability for persistence, and least operational overhead.

C is correct: AWS Transfer Family can store uploaded files directly into Amazon S3.S3 event notificationscan triggerAWS Glue jobsto transform the data. Upon successful transformation, Glue can send a message toAmazon SQS, enabling event-driven architecture with minimal management.

A and D involve cron jobs or scheduled Glue jobs, which increase operational overhead and delay.

B (EMR) is overkill for frequent, lightweight transformations.

https://aws.amazon.com/dms/schema-conversion-tool/

AWS Schema Conversion Tool (SCT) can automatically convert the database schema from Microsoft SQL Server to Amazon RDS for MySQL. This allows for a smooth transition of the database schema without any manual intervention. AWS DMS can then be used to migrate the data from the on-premises databases to the newly created Amazon RDS for MySQL instance. This service can perform a one-time migration of the data or can set up ongoing replication of data changes to keep the on-premises and AWS databases in sync.

Comprehensive and Detailed Explanation From Exact Extract:

The requirements call for an event-driven redesign that uses serverless services and provides near real-time analytics updates. The current architecture relies on weekly ETL jobs, which is incompatible with near real-time analytics.

A serverless, event-driven architecture on AWS typically uses a managed event bus for decoupling producers and consumers and enabling routing/filtering to multiple targets. The analytics requirement suggests that events (orders, returns, updates) should be streamed to an analytics store continuously rather than copied on a weekly schedule.

Option C aligns with these goals. It modernizes the application components into microservices on a serverless compute substrate (AWS Fargate) and modernizes the databases to managed serverless offerings where possible. Aurora Serverless for MySQL provides an on-demand relational database option that reduces operational overhead for the transactional store. Redshift Serverless provides a managed data warehousing service suitable for analytics without provisioning clusters. Using Amazon EventBridge provides a serverless event routing layer that can deliver events from multiple sources to multiple targets, which supports near real-time propagation of business events from the applications into analytics ingestion and processing.

Option A is not fully aligned: it retains the transactional MySQL database on EC2 (not serverless/managed for the database layer) and moves analytics to Amazon Neptune, which is a graph database, not the typical replacement for an OLAP analytics database. SQS is a queue suited for point-to-point message processing, not a flexible event bus for fan-out to multiple analytics consumers and routing based on event patterns.

Option B is not serverless because it uses EC2 Auto Scaling groups for application compute. Although SNS can distribute messages, this option keeps compute server-based and does not directly provide a near real-time analytics warehouse pattern; it also uses Aurora MySQL for analytics, which is not a typical OLAP warehouse replacement compared to Redshift.

Option D is not appropriate: Amazon AppStream 2.0 is a service for streaming desktop applications to users, not for hosting microservices. AWS IoT Core is optimized for IoT device messaging and telemetry and is not the standard integration backbone for business application event routing across microservices and analytics.

Therefore, option C best satisfies the requirement for an event-driven, serverless architecture with near real-time analytics.

Comprehensive and Detailed Explanation From Exact Extract:

The key requirements are: OpenSearch Service must be deployed within a VPC (VPC-only access), and developers must access OpenSearch from their local machines across multiple locations, including home networks. The most suitable low-overhead approach is to provide remote users with secure client-based connectivity into the VPC so they can reach private endpoints.

AWS Client VPN is a managed client-based VPN service that allows individual users to establish secure TLS VPN connections from their devices into a VPC. By associating a Client VPN endpoint with a subnet in the VPC and configuring authorization rules and routes, developers can access private resources (including VPC-only Amazon OpenSearch Service endpoints) as if they were on the corporate network. Client VPN is designed for distributed workforces and supports users connecting from anywhere without requiring each remote location to have dedicated network appliances.

Option A matches the need for remote developer access from home and multiple offices with the least operational overhead because it is a managed service for user-based VPN access and does not require running and maintaining bastion fleets or building site-to-site networks for each location.

Option B is not correct because AWS Site-to-Site VPN is designed to connect networks (for example, an office network or data center) to AWS, not to provide individual developers remote access from arbitrary home networks. Also, instructing developers to use an OpenVPN client does not align with how Site-to-Site VPN is typically used; Site-to-Site VPN terminates on a customer gateway device, not on individual laptops.

Option C is not correct because Direct Connect is designed for dedicated private connectivity between on-premises networks and AWS. It is not a solution for individual developers connecting from home. Additionally, using a public VIF is for reaching public AWS endpoints, whereas the requirement is to keep access within a VPC. A public VIF does not provide private VPC access to VPC-only service endpoints.

Option D is not the best choice because a bastion host provides SSH access to instances, not direct, secure network-level access to VPC-only managed service endpoints from developer tools. It also increases operational overhead (patching, hardening, monitoring, scaling) and introduces additional security considerations. Developers also typically need browser-based or tool-based access to OpenSearch Dashboards, which is better served by VPN access into the VPC than SSH tunneling through a bastion host as a primary access mechanism.

Therefore, configuring AWS Client VPN to provide developers with secure connectivity into the VPC is the correct solution.

minimizes operational + microservices that run on containers = AWS Elastic Beanstalk

https://aws.amazon.com/s3/features/access-points/

https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

https://aws.amazon.com/premiumsupport/knowledge-center/waf-analyze-count-action-rules/

Option B is correct because creating an IAM role in the application account that has permissions to access the secrets and creating an IAM role in the DBA account that has permissions to assume the role in the application account eliminates the need to manually share the secrets. This approach uses cross-account IAM roles to grant access to the secrets in the application account. The database administrators canassume the role in the application account from their EC2 instance in the DBA account and retrieve the secrets without having to store them locally or share them manually2

This option allows the company to use Amazon Aurora MySQL, which is a fully managed relational database service that is compatible with MySQL and offers up to five times better performance than standard MySQL1. By migrating the database to Aurora MySQL, the company can benefitfrom its high availability, durability, scalability, and security features1. By deploying the application in an Auto Scaling group on Amazon EC2 instances behind an Application LoadBalancer, the company can ensure that the application can handle varying levels of traffic and distribute the requests across multiple instances2. By storing sessions in an Amazon ElastiCache for Redis replication group, the company can improve the performance and reliability of the session data by using a fast, in-memory data store that supports replication and failover3.

What is Amazon Aurora?

What is Auto Scaling?

What is Amazon ElastiCache?

Amazon Elastic Container Service (ECS) on AWS Fargate is a fully managed service that allows you to run containers without having to manage the underlying infrastructure. When you launch tasks on Fargate, resources are automatically allocated based on the number of tasks running, which reduces the operational overhead.

Using ECS on Fargate allows you to assign custom tags to tasks using the --tags option in the run-task command, as described in the documentation:https://docs.aws.amazon.com/cli/latest/reference/ecs/run-task.htmlYou can also set enableECSManagedTags to true, which allows the service to automatically add the cluster name and service name as tags.https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html#tag-based-scheduling

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

This option uses a cross-Region read replica of the RDS DB instance to provide a standby database in the separate Region. A cross-Region read replica is a copy of the primary database that is updated asynchronously using the native replication features of the database engine. It provides enhanced availability, scalability, and performance for read-heavy workloads. It also enables fast recovery from a regional outage by promoting the read replica to a standalone database. To use a cross-Region read replica, the company needs to set up a second ECS cluster and ECS service on Fargate in the separate Region. The company also needs to create an AWS Lambda function to promote the read replica to the primary database and update Route 53 to route traffic to the second ECS cluster. The company can then update the EventBridge rule to add a target that will invoke the Lambda function in case of a failure.

 This solution will provide the highest availability for the database, as the read replicas will allow the database to be available in multiple Regions, thus reducing the chances of disruption. Additionally, the promotion of the cross-Region read replica to become a standalone DB instance will ensure that the database is still available even if one of the Regions experiences disruptions.

Creating a single transit gateway in eu-west-1 allows for centralized and cost-effective connectivity between the VPCs involved, without the complexity of creating multiple peering connections or transit gateways.

This approach also allows for selective attachment of only the required VPCs, meeting the strict security and access requirements.

Route table configuration ensures traffic flows properly through the transit gateway, providing connectivity for the application without exposing other VPC resources.

This solution is the most cost-effective and operationally efficient choice for secure inter-Region communication.

https://aws.amazon.com/global-accelerator/faqs/

The most operationally efficient solution for turning on AWS CloudTrail across multiple AWS accounts managed within an AWS Organization is to create a single CloudTrail trail in the organization's management account and configure it to log events for all accounts within the organization. This approach leverages CloudTrail's ability to consolidate logs from all accounts in an organization, thereby simplifying management, reducing overhead, and ensuring consistent logging across accounts. This method eliminates the need for manual intervention in each account, making it an operationally efficient choice for organizations planning to scale their AWS usage.

AWS CloudTrail Documentation: Provides detailed instructions on setting up CloudTrail, including how to configure it for an organization.

AWS Organizations Documentation: Offers insights into best practices for managing multiple AWS accounts and how services like CloudTrail integrate with AWS Organizations.

AWS Best Practices for Security and Governance: Guides on how to effectively use AWS services to maintain a secure and well-governed AWS environment, with a focus on centralized logging and monitoring.

Migrating the containers that run the application to AWS Fargate for Amazon Elastic Container Service (Amazon ECS) will meet the requirement of not administering the Docker hosting environment. AWS Fargate is a serverless compute engine that runs containerswithout requiring any infrastructure management3. Creating an Amazon Elastic File System (Amazon EFS) file system and adding a volume to the Fargate task definition to point to the EFS file system will meet the requirement of low-latency storage that will automatically scale throughput to meet increased demand. Amazon EFS is a fully managed file system service that provides shared access to data from multiple containers, supports NFSv4 protocol, and offers consistent performance and high availability4. Amazon EFS also supports automatic scaling of throughput based on the amount of data stored in the file system5.

https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.htmlhttps://docs.aws.amazon.com/drs/latest/userguide/recovery-workflow-gs.html

Comprehensive and Detailed Explanation From Exact Extract:

The company needs the application in the secondary Region to operate independently from the primary Region during disaster recovery. That means both the DynamoDB data and the relational customer data must be present and usable in the secondary Region without cross-Region dependencies at runtime. The company also wants the least development effort, which usually means using native managed replication features rather than building custom replication logic.

For DynamoDB, global tables are the managed multi-Region, multi-active replication feature. Global tables replicate changes between Regions automatically and allow applications in each Region to read and write to local DynamoDB tables, removing dependencies on the primary Region.

For the RDS for MySQL database, the straightforward managed approach for cross-Region disaster recovery with minimal development change is to create a cross-Region read replica in the secondary Region. A read replica uses asynchronous replication to keep data up to date. During a disaster recovery event, the company can promote the read replica in the secondary Region to become a standalone primary database instance. This provides a simple, low-development approach for having the data in the secondary Region. The application in the secondary Region can be configured to use the replica endpoint in normal times and can continue operating with the promoted instance during failover.

Option A combines DynamoDB global tables with an RDS read replica in the secondary Region. This is the least development effort because it uses AWS-managed replication for both data stores and requires only configuration changes and endpoint selection in the secondary application.

Option B is not correct because DAX is a caching layer for DynamoDB, not a replication or disaster recovery mechanism. DAX does not replicate DynamoDB tables into another Region and cannot replace having the DynamoDB data present in the secondary Region.

Option C is incorrect because RDS Multi-AZ is a high availability feature within a single Region, using synchronous replication to a standby in another Availability Zone. Multi-AZ does not create a standby in a different Region, and it does not provide cross-Region DR by itself.

Option D is less desirable because it requires custom development and operations: processing DynamoDB streams, building and operating a replication pipeline, and ensuring correctness and ordering across Regions. This is higher development effort than enabling DynamoDB global tables.

Therefore, using DynamoDB global tables plus an RDS read replica in the secondary Region (option A) meets the DR independence requirement with the least development effort.

The awsvpc network mode provides each task with its own elastic network interface (ENI) and a primary private IP address1. By using this network mode, the solutions architect can isolate the tasks from each other and apply security groups to the tasks directly2. This way, the solutions architect can control the inbound and outbound traffic at the task level and enforce the least privilege principle3. IAM roles for tasks allow the solutions architect to assign permissions to each task separately, so that they can access other AWS resources that they need4. By using IAM roles for tasks, the solutions architect can avoid passing IAM credentials into the container at launch time, which is less secure and more prone to errors5.

awsvpc network mode

Task networking with the awsvpc network mode

Security groups for your VPC

IAM roles for tasks

Best practices for managing AWS access keys

The correct solution is to use an Amazon S3 File Gateway to store the copy of the SMB file share on AWS. An S3 File Gateway enables on-premises applications to store and access objects in Amazon S3 using the SMB protocol. The S3 File Gateway can also be accessed from AWS using the SMB protocol, which provides the ability to use the data from either the data center or AWS if a disaster occurs. The S3 File Gateway supports tiering of data to different S3 storage classes based on the file type. This allows the company to optimizethe storage costs by using S3 Standard-Infrequent Access (S3 Standard-IA) for the metadata files, which are rarely accessed but must be available within 5 minutes, and S3 Glacier Deep Archive for the image files, which are the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. This solution is the most cost-effective because it does not require any additional hardware, software, or replication services.

The other solutions are incorrect because they either use more expensive or unnecessary services or components, or they do not meet the requirements. For example:

Solution A is incorrect because it uses AWS Outposts with Amazon S3 storage, which is a very expensive and complex solution for the scenario in the question. AWS Outposts is a service that extends AWS infrastructure, services, APIs, and tools to virtually any data center, co-location space, or on-premises facility. It is designed for customers who need low latency and local data processing. Amazon S3 storage on Outposts provides a subset of S3 features and APIs to store and retrieve data on Outposts. However, this solution does not provide SMB access to the data on Outposts, which requires a Windows EC2 instance on Outposts as a file server. This adds more cost and complexity to the solution, and it does not provide the ability to access the data from AWS if a disaster occurs.

Solution B is incorrect because it uses Amazon FSx File Gateway and Amazon FSx for Windows File Server Multi-AZ file system that uses SSD storage, which are both more expensive and unnecessary services for the scenario in the question. Amazon FSx File Gateway is a service that enables on-premises applications to store and access data in Amazon FSx for Windows File Server using the SMB protocol. Amazon FSx for Windows File Server is a fully managed service that provides native Windows file shares with the compatibility, features, and performance that Windows-based applications rely on. However, this solution does not meet the requirements because it does not provide the ability to use different storage classes for the metadata files and image files, and it does not provide the ability to access the data from AWS if a disaster occurs. Moreover, using a Multi-AZ file system that uses SSD storage is overprovisioned and costly for the scenario in the question, which involves rarely accessed data that must be available within 5 minutes.

Solution D is incorrect because it uses an S3 File Gateway that uses S3 Standard-IA for both the metadata files and image files, which is not the most cost-effective solution for the scenario in the question. S3 Standard-IA is a storage class that offers high durability, availability, and performance for infrequently accessed data. However, it is more expensive than S3 Glacier Deep Archive, which is the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. Therefore, using S3 Standard-IA for the image files, which are likely to be larger and more numerous than the metadata files, is not optimal for the storage costs.

What is S3 File Gateway?

Using Amazon S3 storage classes with S3 File Gateway

Accessing your file shares from AWS

To restrict IAM actions to only administrator roles across all AWS accounts in an organization, the most operationally efficient solution is to create a Service Control Policy (SCP) that allows IAM actions exclusively for administrator roles and apply this SCP to the root Organizational Unit (OU) of AWS Organizations. This method ensures a centralized governance mechanism that uniformly applies the policy across all accounts, thereby minimizing the need for individual account-level configurations and reducing operational complexity.

AWS Documentation on AWS Organizations and Service Control Policies offers comprehensive information on creating and managing SCPs for organizational-wide policy enforcement. This approach aligns with AWS best practices for managing permissions and ensuring secure and compliant account configurations within an AWS Organization.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The current CI/CD pipeline uses an IAM user with long-lived access keys stored in GitHub Actions. The new requirement is that pipelines must not use long-lived secret keys. Instead, the solution should provide short-lived credentials with minimal operational overhead.

GitHub Actions natively supports integration with cloud providers using OpenID Connect (OIDC). With OIDC, GitHub acts as an identity provider that can issue OIDC tokens to workflows. On the AWS side, IAM supports configuring an OIDC identity provider and roles that can be assumed by principals presenting valid OIDC tokens through the sts:AssumeRoleWithWebIdentity API. This pattern enables short-lived, automatically rotated credentials for CI/CD jobs without storing long-lived secrets.

In the correct solution (option B), you configure an IAM OIDC identity provider for GitHub in the AWS account. You then create a new IAM role with a trust policy that allows the Github OIDC provider to call sts:AssumeRoleWithWebIdentity, with conditions that restrict which repositories or workflows can assume the role. The existing IAM policy that grants deployment permissions is attached to that role. In GitHub Actions, you update the pipeline configuration to request an OIDC token and assume the IAM role at runtime. Each workflow run receives short-lived credentials without storing static keys, and AWS automatically handles the token verification and temporary credential issuance. This approach is the AWS-recommended pattern for integrating GitHub Actions with AWS without long-lived secrets and has low operational overhead once configured.

Option A uses SAML 2.0, which is typically used for enterprise single sign-on for users, not for GitHub Actions workflows. GitHub does not natively use SAML to obtain AWS credentials for CI/CD pipelines in the same streamlined way as OIDC, and implementing a SAML-based integration would add unnecessary complexity.

Option C introduces Amazon Cognito as an indirection layer. Although Cognito can federate with external identity providers, including social providers, using it as an intermediary to obtain temporary AWS credentials for a machine-to-machine CI/CD pipeline is not necessary when IAM OIDC federation with GitHub is directly supported. This adds additional configuration and operational overhead.

Option D uses IAM Roles Anywhere with client certificates from AWS Private CA. Roles Anywhere is designed for workloads running outside AWS that need to assume IAM roles using X.509 certificates instead of access keys. While technically possible, it requires managing private certificates, trust anchors, and a credential helper tool, which is more complex and operationally heavier than the direct OIDC integration specifically designed for GitHub Actions.

Therefore, configuring an IAM OIDC identity provider for GitHub and creating an IAM role to be assumed via sts:AssumeRoleWithWebIdentity (option B) meets the requirement to replace long-lived secret keys with short-lived credentials with the least operational overhead.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-time-control.html

Creating the Template:

Start by creating a CloudFormation template that includes all the VPC resources. This template should accurately reflect the current state and configuration of the VPC.

Using the CloudFormation Console:

Open the AWS Management Console and navigate to CloudFormation.

Choose "Create stack" and then select "With existing resources (import resources)".

Specifying the Template:

Upload the previously created template or specify the Amazon S3 URL where the template is stored.

Identifying the Resources:

On the "Identify resources" page, provide the identifiers for each VPC resource you wish to import. For example, for anAWS::EC2::VPCresource, use the VPC ID as the identifier.

Creating the Stack:

Complete the stack creation process by providing stack details and reviewing the changes. This will create a change set that includes the import operation.

Executing the Change Set:

Execute the change set to import the resources into the CloudFormation stack, making them managed by CloudFormation.

Verification and Drift Detection:

After the import is complete, run drift detection to ensure the actual configuration matches the template configuration.

This approach allows the company to manage their VPC and other resources via CloudFormation without the need to recreate resources, ensuring a smooth transition to automated infrastructure management.

References

Creating a stack from existing resources - AWS CloudFormation​(AWS Documentation)​.

Generating templates for existing resources - AWS CloudFormation​(AWS Documentation)​.

Bringing existing resources into CloudFormation management​(AWS Documentation)​.

Amazon ECS on Fargateis ideal forevent-driven, long-running jobswith minimal management. Combine S3event notificationswithEventBridge rulesto trigger a Fargate task per upload.

Using Fargate with EventBridge

A is correct because:

CloudFormation templatesenable repeatable infrastructure deployment.

Route 53 latency-based routingensures users hit the closest Region.

DynamoDB global tablesallow multi-Region, active-active replication of application data.

Manual console work (B) is not scalable.

C lacks EC2/ALB replication.

D adds unnecessary services like Beanstalk and doesn’t scale cleanly.

D is correct becauseRDS for PostgreSQLsupportsforeign data wrappers (FDW)that allow querying remote Oracle databases. WithAWS Schema Conversion Tool (SCT)andDatabase Migration Service (DMS), schema and data can be migrated effectively.AWS Direct Connectensures secure, private connectivity to on-prem databases. Cron jobs can be run via EventBridge or external orchestration.

A doesn't support relational/spatial querying.

B doesn’t support FDW or spatial types.

C introduces unnecessary complexity.

CloudFormation cannot delete non-empty S3 buckets. OptionAallows you to create acustom Lambda resourcethat deletes all objects in the S3 bucket before the stack deletes it. The DependsOn ensures the bucket deletion occurs only after the Lambda has completed.

B: Adding DeletionPolicy: Delete does not resolve the issue if the bucket still contains objects.

C: Snapshot doesn't apply to S3 and won't help here.

D: Changing to Amazon EFS would require architectural changes, which are not allowed per requirements.

Create a Transit Gateway:

Step 1: In the AWS Management Console, navigate to the VPC Dashboard.

Step 2: Select "Transit Gateways" and click on "Create Transit Gateway".

Step 3: Configure the transit gateway by providing a name and setting the options for Amazon side ASN and VPN ECMP support as needed.

Step 4: Attach each of the company’s VPCs and relevant subnets to the transit gateway. This centralizes the network management and simplifies the routing configurations, supporting scalable and flexible network architecture.

Set Up AWS PrivateLink:

Step 1: Create a Network Load Balancer (NLB) in the management VPC that points to the compute resource responsible for license validation.

Step 2: Create an AWS PrivateLink endpoint service pointing to this NLB.

Step 3: Allow each customer's VPC to create an interface endpoint to this PrivateLink service. This setup enables secure and private communication between the customer VPCs and the management VPC, ensuring one-way access from each customer's VPC to the management VPC for license validation.

This combination leverages the benefits of AWS Transit Gateway for scalable and centralized routing, and AWS PrivateLink for secure and private service access, meeting the requirement with minimal operational overhead.

References

Amazon VPC-to-Amazon VPC Connectivity Options

AWS PrivateLink - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

Connecting Your VPC to Other VPCs and Networks Using a Transit Gateway

Comprehensive and Detailed Explanation From Exact Extract:

For an EC2 instance to appear as a managed instance in AWS Systems Manager, several prerequisites must be met. Two of the most fundamental requirements are that the Systems Manager Agent (SSM Agent) is installed and running on the instance, and that the instance has an IAM role attached that grants the necessary permissions for Systems Manager to communicate with the service.

When importing a VM from an on-premises environment, the resulting AMI might not include the SSM Agent by default, or the agent might not be enabled to start automatically. If the agent is missing or not running, the instance cannot register with Systems Manager, and it will not appear in the Systems Manager console as a managed instance. Therefore, verifying that the SSM Agent is installed and running is a primary troubleshooting step.

Additionally, the EC2 instance must have an IAM instance profile (role) attached that includes the permissions required by Systems Manager. Typically, this is achieved by attaching a role that includes the AmazonSSMManagedInstanceCore managed policy. Without the appropriate IAM role, even a correctly installed and running agent will not be able to register the instance or perform Systems Manager operations.

Option C (VPC endpoint existence) is not required in this scenario because the instance is in a public subnet and has a public IP address. In this case, the instance can communicate with the Systems Manager endpoints over the internet. VPC endpoints are required when instances do not have internet access (for example, in private subnets without NAT or public IPs), which is not the case here.

Option D (Application Discovery Agent) is unrelated. The AWS Application Discovery Agent is used for migration assessment and discovery of on-premises workloads, not for Systems Manager managed instance registration.

Option E (service-linked roles) is generally not a common cause for a single instance failing to appear as managed, especially when other Systems Manager functionality is working in the account. Service-linked roles for Systems Manager are usually created automatically when needed and do not typically prevent an individual instance from registering if the agent and instance role are correctly configured.

Therefore, the correct troubleshooting steps are to verify the presence and operation of the Systems Manager Agent and to ensure the EC2 instance has the correct IAM role attached.

step function could run a scheduled task when triggered by eventbrige, but why would you add that layer of complexity just to run aws batch when you could directly invoke it through eventbridge. The link provided - https://aws.amazon.com/pt/blogs/compute/orchestrating-high-performance-computing-with-aws-step-functions-and-aws-batch/ makes sense only for HPC, this is a single instance that needs to be run

The workload consists of large batch-processing simulation jobs that read 15–20 GB per job from Amazon S3, write results back to S3, are not time sensitive, and can tolerate interruptions. These characteristics are ideal for using EC2 Spot Instances, which provide steep discounts compared to On-Demand pricing in exchange for potential interruptions.

AWS Batch is designed specifically for batch and simulation workloads. It can dynamically provision compute resources, manage job queues, retry failed jobs, and integrate tightly with EC2 Spot Instances. Using an AWS Batch compute environment that is configured to use EC2 Spot Instances with the SPOT_CAPACITY_OPTIMIZED allocation strategy allows AWS Batch to choose the lowest interruption-risk Spot capacity pools automatically while still giving the largest cost savings.

Option B leverages these capabilities. It creates an AWS Batch compute environment using only Spot Instances and uses the SPOT_CAPACITY_OPTIMIZED allocation strategy to select capacity across instance types with lower interruption rates. Since the simulations are not time sensitive and can withstand interruptions, the risk of Spot interruptions is acceptable, and AWS Batch will re-run interrupted jobs as needed. This combination provides the most cost-effective solution while minimizing operational overhead for job scheduling and capacity management.

Option A uses Lambda with Step Functions. Lambda has limits on memory, runtime, and payload size, making it a poor fit for processing 15–20 GB of data per job. In addition, the concurrency and invocation cost for large-scale, long-running simulation workloads would be higher and less cost-effective than EC2 Spot Instances.

Option C mixes On-Demand and Spot Instances. While this can provide reliability for more time-critical workloads, it is less cost-effective than a pure Spot configuration when the workload explicitly can tolerate interruptions and is not time sensitive.

Option D uses Amazon EKS with a mix of On-Demand and Spot Instances. While this can be made to work, it requires managing Kubernetes clusters, node groups, and job scheduling, which introduces more operational complexity than using AWS Batch, and the inclusion of On-Demand capacity reduces cost-effectiveness compared to pure Spot-based batch processing.

Therefore, using AWS Batch with EC2 Spot Instances and the SPOT_CAPACITY_OPTIMIZED allocation strategy (option B) is the most cost-effective solution for this tolerant, batch-processing workload.

https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/

https://repost.aws/knowledge-center/ecs-fargate-service-auto-scaling

AWS Control Tower provides a set of "strongly recommended guardrails" that can be enabled to implement governance and policy enforcement. One of these guardrails is "Encrypt Amazon RDS instances" which will detect RDS DB instances that are not encrypted at rest. By enabling this guardrail and applying it to the production OU, the company will be able to enforce encryption for RDS instances in the production environment.

The best solution is to stream the data to an Amazon Kinesis data stream and create an AWS Lambda function to consume the Kinesis data stream and to analyze the data. Amazon Kinesis is a web service that can collect, process, and analyze real-time streaming data from various sources, such as sensors. AWS Lambda is a serverless computing service that can run code in response to events, such as incoming data from a Kinesis data stream. By using AWS Lambda, the company can avoid provisioning or managing servers and scale automatically based on the demand. Amazon Simple Notification Service (Amazon SNS) is a web service that enables applications to send and receive notifications from the cloud. By using Amazon SNS, the company can notify the operations team immediately if any of the parameters fall out of acceptable ranges. This solution meets all the requirements of the company.

All features – The default feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. For example, when all features are enabled the management account of the organization has full control over what member accounts can do. The management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access.https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

This option allows the company to use AWS Client VPN to enable secure and private access to the Amazon ES cluster from any location1. By configuring and setting up an AWS Client VPN endpoint, the company can create a secure tunnel between the developers’ devices and the VPC2. By associating the Client VPN endpoint with a subnet in the VPC, the company can ensure that the trafficfrom the developers’ devices is routed to the Amazon ES cluster within the VPC3. By configuring a Client VPN self-service portal, the company can enable the developers to download and install the client for Client VPN, which is based on OpenVPN4. By instructing the developers to connect by using the client for Client VPN, the company can allow them to access Amazon ES to analyze and visualize logs directly from their local development machines.

What is AWS Client VPN?

Creating a Client VPN endpoint

Associating a target network with a Client VPN endpoint

Configuring a self-service portal

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-a-notification-when-an-iam-user-is-created.html

C is correct because:

AWS WAF integrates natively with API Gateway and protects against common web exploits (e.g., SQL injection, XSS).

Amazon Inspector can scan the legacy EC2 instance for known vulnerabilities.

Amazon GuardDuty is a continuous security monitoring service that detects threats butdoes not blocktraffic (B and D are incorrect because GuardDuty doesn’t block).

Create an S3 Bucket:

Log in to the AWS Management Console and navigate to Amazon S3.

Create a new S3 bucket that will serve as the destination for the application data.

Deploy AWS Storage Gateway:

Download and deploy the AWS Storage Gateway virtual machine (VM) on your on-premises environment. This VM can be deployed on VMware ESXi, Microsoft Hyper-V, or Linux KVM.

Configure the File Gateway:

Configure the deployed Storage Gateway as a file gateway. This will enable it to present Amazon S3 buckets as SMB file shares to your on-premises applications.

Create a New File Share:

Within the Storage Gateway configuration, create a new file share that is associated with the S3 bucket you created earlier. This file share will use the SMB protocol, allowing your on-premises applications to access the S3 bucket as if it were a local SMB file share.

Copy Data to the File Gateway:

Use your preferred method (such as robocopy, rsync, or similar tools) to copy data from the on-premises storage to the newly created file gateway endpoint. This data will be stored in the S3 bucket, maintaining accessibility through SMB.

Ensure Secure and Efficient Data Transfer:

AWS Storage Gateway ensures that all data in transit is encrypted using TLS, providing secure data transfer to AWS. It also provides local caching for frequently accessed data, improving access performance for on-premises applications.

This approach allows your existing on-premises applications to continue accessing data via SMB while leveraging the scalability and durability of Amazon S3.

References

AWS Storage Gateway Overview【67】.

AWS DataSync and Storage Gateway Hybrid Architecture【66】.

AWS S3 File Gateway Details【68】.

B. Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port. This allows theinstances to make outbound connections to the DB cluster on the default Aurora port. C. Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port. This allows connections to the DB cluster from the EC2 instances on the default Aurora port.

S3 Event Notifications is a feature that allows users to receive notifications when certain events happen in an S3 bucket, such as object creation or deletion1. Users can configure S3 Event Notifications to invoke an AWS Lambda function when a user stores an image in the bucket. Lambda is a serverless compute service that runs code in response to events and automatically manages the underlying compute resources2. The Lambda function can resize the image in place and store the original file in the same S3 bucket. This way, the solution can handle significant variance in demand and be reliable at enterprise scale. Thesolution can also rerun processing jobs in the event of failure by using the retry and dead-letter queue features of Lambda2.

S3 Lifecycle is a feature that allows users to manage their objects so that they are stored cost-effectively throughout their lifecycle3. Users can create an S3 Lifecycle policy to move all stored images to S3 Standard-Infrequent Access (S3 Standard-IA) after 6 months. S3 Standard-IA is a storage class designed for data that is accessed less frequently, but requires rapid access when needed4. It offers a lower storage cost than S3 Standard, but charges a retrieval fee. Therefore, moving the images to S3 Standard-IA after 6 months can reduce the storage cost for the solution.

Option A is incorrect because using AWS Step Functions to process the S3 event that occurs when a user stores an image is not necessary or cost-effective. AWS Step Functions is a service that lets users coordinate multiple AWS services into serverless workflows. However, for this use case, a single Lambda function can handle the image resizing task without needing Step Functions.

Option B is incorrect because using Amazon EventBridge to process the S3 event that occurs when a user uploads an image is not necessary or cost-effective. Amazon EventBridge is a serverless event bus service that makes it easy to connect applications with data from a variety of sources. However, for this use case, S3 Event Notifications can directly invoke the Lambda function without needing EventBridge.

Option D is incorrect because using Amazon Simple Queue Service (Amazon SQS) to process the S3 event that occurs when a user stores an image is not necessary or cost-effective. Amazon SQS is a fully managed message queuing service that enables users to decouple and scale microservices, distributed systems, and serverless applications. However, for this use case, S3 Event Notifications can directly invoke the Lambda function without needing SQS. Moreover, storing the resized file in an S3 bucket that uses S3 Standard-IA will incur a retrieval fee every time the file is accessed, which may not be cost-effective for frequently accessed files.

B:https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.requests

D:https://aws.amazon.com/blogs/compute/robust-serverless-application-design-with-aws-lambda-dlq/c

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html