Amazon Practice Questions, Discussions & Exam Topics by our Authors
A company uses AWS Cost Explorer to monitor its AWS costs. The company notices that Amazon Elastic Block Store (Amazon EBS) storage and snapshot costs increase every month. However, the company does not purchase additional EBS storage every month. The company wants to optimize monthl...
To address the company’s goal of optimizing monthly costs for its current EBS storage usage, the solution must focus on reducing unnecessary costs related to EBS storage and snapshots. Let’s analyze each option based on the following key factors:
Key Factors:
1. Cost Optimization: The goal is to minimize storage and snapshot costs.
2. Operational Overhead: The solution should involve minimal operational overhead to ensure ease of management.
3. Practicality: The solution should be practical to implement without significant effort or complexity, especially in terms of ongoing management.
Option Analysis:
A) Use logs in Amazon CloudWatch Logs to monitor the storage utilization of Amazon EBS. Use Amazon EBS Elastic Volumes to reduce the size of the EBS volumes.
- Analysis: Monitoring storage utilization with CloudWatch Logs provides visibility into usage trends, but it does not directly solve the issue of snapshot costs or inefficient storage use. While Elastic Volumes allows for resizing of EBS volumes, the company is not purchasing additional storage monthly, so this option does not address the root cause of increasing snapshot costs, nor does it reduce operational overhead.
- Rejected: While this option may offer some insights, it doesn’t directly address the snapshot cost issue or optimize the snapshot lifecycle.
B) Use a custom script to monitor space usage. Use Amazon EBS Elastic Volumes to reduce the size of the EBS volumes.
- Analysis: A custom script to monitor space usage adds operational overhead and complexity, requiring ongoing maintenance. Elastic Volumes can resize EBS volumes, but as with Option A, this does not address the snapshot-related costs, which seem to be the larger issue in this case.
- Rejected: This soluti...
Author: Rahul · Last updated Apr 16, 2026
A company is developing a new application on AWS. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster, an Amazon S3 bucket that contains assets for the application, and an Amazon RDS for MySQL database that contains the dataset for the application. The dataset contains sensitive information. The company wants to ensure t...
To meet the requirements of ensuring that only the ECS cluster can access the data in the RDS for MySQL database and the S3 bucket, the solution must focus on restricting access to both resources. This can be done by configuring security controls, policies, and network settings to allow only the ECS tasks to interact with the database and the S3 bucket.
Let’s analyze the options based on key factors:
Key Factors:
1. Security: Only the ECS cluster should have access to the resources, ensuring proper isolation.
2. Operational Overhead: The solution should not require excessive configuration or ongoing management.
3. Network Isolation: It should ensure that the ECS tasks can access the resources within the appropriate network boundaries (e.g., VPC).
Option Analysis:
A) Create a new AWS Key Management Service (AWS KMS) customer-managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the KMS key policy includes encrypt and decrypt permissions for the ECS task execution role.
- Analysis: This option focuses on encryption using KMS, which helps secure the data at rest. However, encryption alone does not control access to the data. The KMS key policy can help restrict which IAM roles or users can decrypt the data, but it does not restrict access to the S3 bucket or RDS database based on the network or identity of the ECS tasks. It is important to control access at the network or resource level, not just at the encryption level.
- Rejected: This solution only addresses encryption and lacks the necessary network and access control features to restrict access to the resources.
B) Create an AWS Key Management Service (AWS KMS) AWS-managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the S3 bucket policy specifies the ECS task execution role as a user.
- Analysis: While AWS-managed keys provide encryption, they do not allow for granular access control at the level of the ECS tasks. Additionally, the S3 bucket policy restricts access to the ECS task execution role, but this does not ensure that the ECS cluster is the only entity accessing the S3 bucket or RDS database. The KMS key does not provide enough fine-grained control to meet the access restrictions for both resources.
- Rejected...
Author: Sofia2021 · Last updated Apr 16, 2026
A company has a web application that runs on premises. The application experiences latency issues during peak hours. The latency issues occur twice each month. At the start of a latency issue, the application's CPU utilization immediately increases to 10 times its normal amount.
The company wants to migrate the application to AWS to improve latency. The company also wants to scale the applicat...
To address the company's requirements, let's break down the key factors and analyze the available options:
Key Factors:
1. Latency Issues: The company wants to reduce latency during peak hours, specifically when CPU utilization increases significantly.
2. Automatic Scaling: The company needs a solution that can automatically scale when application demand increases.
3. Elastic Beanstalk Deployment: The solution must work with AWS Elastic Beanstalk, which handles the deployment and scaling of applications.
4. Specific Timing of Latency: The latency issues are predictable, occurring twice a month, and are associated with a rapid spike in CPU usage.
Option Analysis:
A) Configure an Elastic Beanstalk environment to use burstable performance instances in unlimited mode. Configure the environment to scale based on requests.
- Analysis: Burstable performance instances (such as T3 or T2 instances) are designed to handle occasional spikes in CPU utilization. In unlimited mode, the instances can burst beyond their baseline CPU performance for extended periods without incurring immediate costs, making this a potential fit for handling the latency spikes. Scaling based on requests can allow the application to automatically adjust its resources when demand increases, which helps with handling spikes in traffic.
- Pros: The unlimited mode feature helps accommodate CPU spikes, and scaling based on requests provides automatic scaling as demand rises.
- Cons: Scaling based on requests may not directly correlate with the CPU spikes that cause the latency issue, as there might not always be a direct link between the number of requests and CPU utilization.
B) Configure an Elastic Beanstalk environment to use compute-optimized instances. Configure the environment to scale based on requests.
- Analysis: Compute-optimized instances (like C5 or C6i instances) provide high CPU performance, making them suitable for applications with CPU-intensive workloads. However, the scaling is based on requests, which may not always directly trigger during the latency spike times when CPU utilization increases significantly.
- Pros: Compute-optimized instances can handle CPU-intensive applications, potentially improving performance during peak demand.
- Cons: As with Option A, scaling based on requests may not be effective in responding dire...
Author: Ava · Last updated Apr 16, 2026
A company has customers located across the world. The company wants to use automation to secure its systems and network infrastructure. The company's security team must be able to track and audit all inc...
To meet the company's requirement of automating the securing of systems and network infrastructure, while enabling the security team to track and audit all incremental changes, we need to focus on solutions that provide automation, visibility into infrastructure changes, and compliance tracking. Let's analyze each option in terms of key factors:
Key Factors:
1. Automation: The solution should automate infrastructure management to minimize manual intervention.
2. Tracking and Auditing Changes: The solution must allow for detailed tracking of incremental changes to the infrastructure for auditing and security purposes.
3. Scalability: The solution should support a global presence since the company has customers across the world.
4. Ease of Implementation: The solution should be easy to implement and align with best practices for infrastructure management and security.
Option Analysis:
A) Use AWS Organizations to set up the infrastructure. Use AWS Config to track changes.
- Analysis: AWS Organizations helps manage multiple AWS accounts, which is useful for large-scale, global environments. However, AWS Config is primarily used for tracking resource configurations and changes to AWS resources within an account, not for creating or managing infrastructure. While AWS Config can audit changes to resources, it does not directly automate infrastructure provisioning or management.
- Rejected: This option lacks the necessary automation for infrastructure provisioning, as AWS Organizations alone does not help in automating the setup of infrastructure. AWS Config is more for monitoring and auditing.
B) Use AWS CloudFormation to set up the infrastructure. Use AWS Config to track changes.
- Analysis: AWS CloudFormation automates the provisioning and management of infrastructure as code. It allows the company to define and deploy infrastructure consistently across multiple regions. AWS Config can track changes to resources deployed by CloudFormation, providing an audit trail ...
Author: ThunderBear · Last updated Apr 16, 2026
A startup company is hosting a website for its customers on an Amazon EC2 instance. The website consists of a stateless Python application and a MySQL database. The website serves only a small amount of traffic. The company is concerned about the reliability of the instance and needs to migrate to a highly available architecture. The company cannot mo...
To achieve high availability for the website, the company needs to ensure that both the web application and database are resilient and can continue functioning even if an instance or an entire Availability Zone fails. Given the constraints (stateless application and MySQL database), here is the reasoning for selecting the best actions:
Option Breakdown:
A) Provision an internet gateway in each Availability Zone in use.
- Reasoning: This option does not directly contribute to high availability. An internet gateway provides a route to the internet for instances in the VPC but does not handle failover, scaling, or redundancy. It’s mainly used to enable internet access for EC2 instances. The scenario doesn't require additional internet gateways to improve high availability for the application.
B) Migrate the database to an Amazon RDS for MySQL Multi-AZ DB instance.
- Reasoning: This option is a strong candidate for ensuring high availability. Amazon RDS Multi-AZ deployments automatically replicate the database to a standby instance in a different Availability Zone, providing automatic failover in the event of an issue with the primary instance. It also removes the need for the company to manage MySQL replication and failover manually, which is critical for reducing the risk of downtime and simplifying the management of the database.
C) Migrate the database to Amazon DynamoDB, and enable DynamoDB auto scaling.
- Reasoning: While DynamoDB is a fully managed NoSQL database service that scales automatically, it would require significant changes to the application code. Since the requirement specifies that the application code cannot be modified, migrating to DynamoDB is not...
Author: Deepak · Last updated Apr 16, 2026
A company is moving its data and applications to AWS during a multiyear migration project. The company wants to securely access data on Amazon S3 from the company's AWS Region and from the company's on-premises location. The data must not traverse the internet. The company has established an ...
To meet the requirement of securely accessing Amazon S3 data from both the AWS Region and the on-premises location without traversing the internet, we need a solution that ensures secure, private communication channels between the on-premises network, AWS, and S3. Below is an analysis of each option:
Option Breakdown:
A) Create gateway endpoints for Amazon S3. Use the gateway endpoints to securely access the data from the Region and the on-premises location.
- Reasoning: Gateway endpoints are the ideal choice for accessing Amazon S3 securely without the data traversing the internet. These endpoints create a private connection between your VPC and S3, ensuring that traffic remains within AWS’s private network. The AWS Direct Connect connection would facilitate access from the on-premises network to the VPC, allowing secure access to S3 through the gateway endpoint. Since this option uses a private route (via Direct Connect) and avoids internet traffic, it satisfies the requirement for secure, private communication.
B) Create a gateway in AWS Transit Gateway to access Amazon S3 securely from the Region and the on-premises location.
- Reasoning: While AWS Transit Gateway can provide a way to interconnect VPCs and on-premises environments, it doesn't directly solve the issue of accessing S3 securely. Transit Gateway is typically used for routing between multiple VPCs and on-premises locations, but accessing S3 securely would still require the use of a gateway endpoint or other services like VPC peering or private connections. This solution doesn't direc...
Author: Lucas Carter · Last updated Apr 16, 2026
A company created a new organization in AWS Organizations. The organization has multiple accounts for the company's development teams. The development team members use AWS IAM Identity Center (AWS Single Sign-On) to access the accounts. For each of the company's applications, the development teams must use a predefined application name to tag resources that are created.
A solutions architect needs to design ...
To meet the requirement of enforcing that resources can only be created if they are tagged with an approved "application name" value, we need to ensure that only resources with specific tags can be created across multiple accounts in the organization. Here's a breakdown of each option:
Option Breakdown:
A) Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.
- Reasoning: This option involves creating an IAM policy with a condition that ensures the "application name" tag is included when creating resources. However, IAM policies alone do not validate or enforce the tag values themselves (i.e., they won't validate if the value of the tag is approved). They can only require the existence of the tag. This option is useful for ensuring that tags are present but doesn't address the requirement to enforce an approved set of tag values.
B) Create a cross-account role that has a Deny policy for any resource that has the application name tag.
- Reasoning: This option doesn't fit the requirements because it only denies the creation of resources that already have the "application name" tag, which is the opposite of the intended requirement. The goal is to ensure that resources are only created with an approved "application name" tag value, not to block resources based on tag existence. This approach is not aligned with the requirement to enforce approved tag values at creation.
C) Create a resource group in AWS Res...
Author: Rahul · Last updated Apr 16, 2026
A company runs its databases on Amazon RDS for PostgreSQL. The company wants a secure solution to manage the master user password by rotating the password every 30 days.
Whic...
To meet the requirement of securely managing the master user password for Amazon RDS for PostgreSQL and rotating it every 30 days with the least operational overhead, let's break down the options:
Option Breakdown:
A) Use Amazon EventBridge to schedule a custom AWS Lambda function to rotate the password every 30 days.
- Reasoning: This option involves using Amazon EventBridge to schedule a custom Lambda function that would rotate the password. While this approach would meet the requirement, it involves more operational overhead because you would need to write, maintain, and manage a custom Lambda function for password rotation. Additionally, you would need to ensure the Lambda function interacts with Amazon RDS, handles potential errors, and ensures that the application using the database can retrieve the new password. This adds complexity and operational effort compared to more managed solutions.
B) Use the modify-db-instance command in the AWS CLI to change the password.
- Reasoning: While this option can manually rotate the password by using the `modify-db-instance` command, it requires manual intervention and would not be automated. Therefore, this option would require regular monitoring and manual updates, making it unsuitable for automatic password rotation on a set schedule (e.g., every 30 days), which increases the operational overhead.
C) Integrate AWS Secrets Manager with Amazon RDS for PostgreSQL to automate passwor...
Author: Elijah · Last updated Apr 16, 2026
A company performs tests on an application that uses an Amazon DynamoDB table. The tests run for 4 hours once a week. The company knows how many read and write operations the application performs to the table each second during the tests. The company does not currently use DynamoDB for any ot...
To optimize costs for the DynamoDB table, the solution must account for the specific requirements of the company: the application only performs tests once a week for 4 hours, and the company knows the read and write operations performed during the tests. Here is a breakdown of each option and how it aligns with the requirement:
Option Breakdown:
A) Choose on-demand mode. Update the read and write capacity units appropriately.
- Reasoning: DynamoDB's on-demand mode automatically adjusts capacity based on traffic patterns. It allows the company to only pay for the read and write requests made, without needing to configure or manage capacity units. Since the company’s application only runs tests for a few hours each week, on-demand mode is the most flexible and cost-efficient option. The company would only pay for the operations that occur during the test period, avoiding the need for manual capacity configuration and over-provisioning during idle periods. This option provides the least operational overhead and ensures the company does not pay for unused capacity.
B) Choose provisioned mode. Update the read and write capacity units appropriately.
- Reasoning: Provisioned mode requires manually setting the read and write capacity units. While this can be cost-effective when traffic is predictable, it would involve setting the capacity high enough to handle the peak usage during the tests. However, for the rest of the week, the table would be underutilized, leading to wasted capa...
Author: Maya2022 · Last updated Apr 16, 2026
A company runs its applications on Amazon EC2 instances. The company performs periodic financial assessments of its AWS costs. The company recently identified unusual spending.
The company needs a solution to prevent unusual spending. The solution must monitor costs ...
To address the company's need to prevent unusual spending on AWS EC2 instances and to notify responsible stakeholders about such events, let's analyze each of the provided options:
A) Use an AWS Budgets template to create a zero spend budget:
- AWS Budgets can be used to set custom cost and usage budgets, but the key issue with a "zero spend" budget is that it would essentially trigger alerts when the spending goes above zero, which would be unrealistic for a normal operation.
- The problem here is that a zero spend budget would not be practical, since the company’s applications on EC2 are expected to incur costs.
- Rejection reason: A zero spend budget would not be a realistic approach for monitoring regular usage and would generate unnecessary alerts.
- Scenario where it could be used: A zero spend budget could be used in environments where there should be no cost, such as test accounts or where no usage should be allowed.
B) Create an AWS Cost Anomaly Detection monitor in the AWS Billing and Cost Management console:
- AWS Cost Anomaly Detection uses machine learning models to detect unusual spending patterns based on historical usage and cost data. The service can automatically detect cost anomalies, and stakeholders can be notified whenever anomalous spending is detected.
- This option directly addresses the need to monitor for unusual spending and notify stakeholders automatically when such anomalies are identified.
- Selected option reasoning: It is the most appropriate solution because it automatically detects unusual spending patterns and sends notifications, which is exactly what the company needs.
- Scenario where it could be used: Any company looking to monitor spending in real-time and react to unexpected cost spikes would find this solution helpful.
C) Cr...
Author: Ethan Smith · Last updated Apr 16, 2026
A marketing company receives a large amount of new clickstream data in Amazon S3 from a marketing campaign. The company needs to analyze the clickstream data in Amazon S3 quickly. Then the company needs to determine whether to process the data furth...
To analyze the clickstream data stored in Amazon S3 and decide whether to process it further in the data pipeline, the solution needs to be both quick and efficient with the least operational overhead. Let's evaluate each of the options:
A) Create external tables in a Spark catalog. Configure jobs in AWS Glue to query the data:
- AWS Glue is a serverless data integration service, but it may have more overhead in terms of configuration and maintenance when compared to some other solutions.
- This solution involves managing a Spark catalog and configuring jobs, which can be complex and require more manual intervention, especially for simple queries.
- Rejection reason: Although AWS Glue is powerful, this solution may introduce unnecessary complexity for simply querying and analyzing clickstream data, leading to higher operational overhead.
B) Configure an AWS Glue crawler to crawl the data. Configure Amazon Athena to query the data:
- AWS Glue crawlers automatically discover metadata about the data in Amazon S3, and Amazon Athena allows querying that data using standard SQL.
- Athena is a fully managed, serverless query service that is easy to use and allows fast querying directly on data in Amazon S3 without needing to set up infrastructure.
- This solution is highly suitable because it provides a straightforward, serverless approach to querying the clickstream data. The Glue crawler simplifies metadata discovery, and Athena is optimized for querying large datasets with minimal setup and low operational overhead.
- Selected option reasoning: This solution meets the requirements for both speed and minimal operational overhead. It is also cost-effective because you pay only for the queries you run, with no infrastructure management required.
- Scenario where it could be used: This solution is ideal for situations where quick, ad-hoc querying of data ...
Author: CrimsonViperX · Last updated Apr 16, 2026
A company runs an SMB file server in its data center. The file server stores large files that the company frequently accesses for up to 7 days after the file creation date. After 7 days, the company needs to be able to access th...
To meet the requirements of the company’s SMB file server, we need a solution that can manage files that are frequently accessed for up to 7 days and can provide retrieval with a maximum time of 24 hours for files older than 7 days. Let's evaluate each option:
A) Use AWS DataSync to copy data that is older than 7 days from the SMB file server to AWS:
- AWS DataSync is a service used for automated data transfer between on-premises storage and AWS storage services like Amazon S3 or Amazon EFS.
- While this option would automate data transfer, it doesn't directly address the requirement for accessing files with a 24-hour retrieval time after 7 days.
- Rejection reason: DataSync helps with transferring data, but it doesn't offer specific functionality for file retrieval based on access patterns or retention. This solution focuses on moving data, not on managing lifecycle policies or retrieval speeds.
B) Create an Amazon S3 File Gateway to increase the company's storage space. Create an S3 Lifecycle policy to transition the data to S3 Glacier Deep Archive after 7 days:
- The S3 File Gateway allows the company to use on-premises applications for accessing S3 data through an SMB interface.
- S3 Glacier Deep Archive is a long-term archival storage solution that has retrieval times ranging from 12 hours to 48 hours. Since the company requires retrieval within a maximum of 24 hours, Glacier Deep Archive would not be suitable.
- Rejection reason: S3 Glacier Deep Archive is not ideal for files that need to be retrieved within 24 hours. It is intended for data that is rarely accessed and has long retrieval times.
C) Create an Amazon FSx File Gateway to increase the company's storage space. Create an Amazon S3 Lifecycle policy to transition the data after 7 days:
- Amazon FSx for Windows File Server provides fully managed Windows file storage that is accessible via SMB, and FSx File Gate...
Author: Carlos Garcia · Last updated Apr 16, 2026
A company runs a web application on Amazon EC2 instances in an Auto Scaling group. The application uses a database that runs on an Amazon RDS for PostgreSQL DB instance. The application performs slowly when traffic increases. The database experiences a heavy read load during perio...
To resolve the performance issues of the web application when traffic increases and the database experiences heavy read load, we need to focus on improving database performance during high traffic periods. Let's evaluate the provided options:
A) Turn on auto scaling for the DB instance:
- Auto Scaling for Amazon RDS applies to read replicas but does not directly apply to the primary DB instance itself. RDS does not have a traditional auto-scaling feature for scaling the primary instance based on load (i.e., auto scaling for the DB instance's size or capacity).
- Rejection reason: Auto scaling for the DB instance doesn’t address the issue of heavy read loads. Instead, other scaling methods, such as adding read replicas or caching, would be more appropriate.
B) Create a read replica for the DB instance. Configure the application to send read traffic to the read replica:
- Read replicas are a powerful solution for handling heavy read loads. By creating a read replica, the application can offload read traffic to the replica, which will help reduce the load on the primary DB instance.
- This approach improves read scalability without impacting the performance of the primary DB instance and can scale horizontally.
- Selected option reasoning: This is an appropriate solution because it offloads the read load from the primary instance to the read replica, improving performance during periods of high traffic. Additionally, read replicas can be easily configured and maintained in Amazon RDS.
C) Convert the DB instance to a Multi-AZ DB instance deployment. Configure the application to send read traffic to the standby DB instance:
- Multi-AZ deployments provide high availability by replicating data to a standby instance in a different Availability Zone. However, the standby instance is only for failover purposes and is not meant to handle read traffic.
- Rejection reason: The standby instance in a Multi-AZ setup is not accessible for read traffic, so it won't address the issue of heavy read loads. Multi-A...
Author: ElectricLionX · Last updated Apr 16, 2026
A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes to run an application. The company creates one snapshot of each EBS volume every day to meet compliance requirements. The company wants to implement an architecture that prevents the accidental deletion of EBS volume snapshots. The solution must not chang...
To meet the requirement of preventing accidental deletion of EBS volume snapshots without changing the administrative rights of the storage administrator, we need to focus on solutions that protect the snapshots from deletion while avoiding complex administrative overhead. Let’s evaluate the options:
A) Create an IAM role that has permission to delete snapshots. Attach the role to a new EC2 instance. Use the AWS CLI from the new EC2 instance to delete snapshots:
- This option involves creating an IAM role with permissions to delete snapshots and attaching it to an EC2 instance. The EC2 instance could then use the AWS CLI to delete snapshots.
- Rejection reason: This solution requires setting up an additional EC2 instance and using the CLI to perform deletions. It introduces unnecessary complexity and doesn't prevent accidental deletion by the storage administrator, nor does it offer an automated way to prevent deletions based on a simple policy. This is a more complex solution and doesn't align with the goal of minimizing administrative effort.
B) Create an IAM policy that denies snapshot deletion. Attach the policy to the storage administrator user:
- Creating an IAM policy that explicitly denies snapshot deletion is a direct approach to restricting actions, but it conflicts with the requirement to not change the administrative rights of the storage administrator.
- Rejection reason: This option requires modifying the storage administrator's IAM policy, which contradicts the requirement that administrative rights should not be altered. Additionally, it may be difficult to fine-tune permissions to avoid overly res...
Author: Aarav · Last updated Apr 16, 2026
A company's application uses Network Load Balancers, Auto Scaling groups, Amazon EC2 instances, and databases that are deployed in an Amazon VPC. The company wants to capture information about traffic to and from the network interfaces in near real time in its Amazon VPC. The compan...
To meet the company's requirement of capturing information about traffic to and from network interfaces in near real time in an Amazon VPC and sending this data to Amazon OpenSearch Service for analysis, let’s evaluate each option.
Option A:
Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Streams to stream the logs from the log group to OpenSearch Service.
- CloudWatch Logs is a service for logging and monitoring application behavior. VPC Flow Logs can be used to capture traffic information at the network interface level and send it to CloudWatch Logs.
- Amazon Kinesis Data Streams is used for real-time streaming of log data from CloudWatch Logs to other services, such as OpenSearch Service.
- This option is valid for streaming data from CloudWatch Logs to OpenSearch Service. However, Kinesis Data Streams might be more complex and costlier to manage compared to Kinesis Data Firehose.
Option B:
Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to send the log data to the log group. Use Amazon Kinesis Data Firehose to stream the logs from the log group to OpenSearch Service.
- CloudWatch Logs works here to capture VPC Flow Logs data.
- Amazon Kinesis Data Firehose is a fully managed service that can stream data directly to destinations like Amazon OpenSearch Service. Unlike Kinesis Data Streams, Kinesis Data Firehose is simpler to use and manage sin...
Author: Emma · Last updated Apr 16, 2026
A company is developing an application that will run on a production Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cluster has managed node groups that are provisioned with On-Demand Instances.
The company needs a dedicated EKS cluster for development work. The company will use the development cluster infrequently to test...
Let's analyze each option based on the company's requirement to create a cost-effective solution for a dedicated EKS cluster used infrequently for development and testing.
Key Requirements:
1. Infrequent use: The cluster will not be used often, so cost efficiency is important.
2. Managed EKS nodes: The EKS cluster should manage all the nodes.
3. Cost-effective: The solution should minimize costs as much as possible while ensuring it is resilient.
Option A:
Create a managed node group that contains only Spot Instances.
- Spot Instances are significantly cheaper than On-Demand Instances, making this a cost-effective option. Since the development cluster will be used infrequently, Spot Instances are a good fit. However, Spot Instances can be interrupted if the capacity is needed elsewhere, which could cause issues with resiliency and availability.
- Why it might be rejected: The infrequent use of the cluster might lead to issues when Spot Instances are interrupted, as the nodes may be removed from the cluster, potentially causing service disruption during tests. For resiliency testing, it might be better to ensure the cluster is stable.
Option B:
Create two managed node groups. Provision one node group with On-Demand Instances. Provision the second node group with Spot Instances.
- This option offers flexibility by combining On-Demand Instances for stability and Spot Instances for cost savings.
- Why it might be rejected: This option adds unnecessary complexity since the cluster is meant for infrequent development use. The combination of On-Demand and Spot Instances may lead to unnecessary cost increases, as the development cluster likely doesn't require such redundancy and comp...
Author: Ahmed · Last updated Apr 16, 2026
A company stores sensitive data in Amazon S3. A solutions architect needs to create an encryption solution. The company needs to fully control the ability of users to create, rotate, and disable encryption keys with mini...
Let’s analyze the requirements and evaluate each solution:
Key Requirements:
1. Full control over encryption keys: The company needs to manage the encryption keys fully.
2. Minimal effort for managing encryption: The solution should be easy to implement and maintain while giving the company full control over the keys.
Option A:
Use default server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store the sensitive data.
- SSE-S3 provides server-side encryption using Amazon S3-managed keys. While this method is simple and effective, the company cannot fully control the encryption keys. AWS manages the keys automatically, so the company does not have the ability to create, rotate, or disable the keys themselves.
- Why it’s rejected: This solution does not meet the requirement for full control over the keys. It's a good option if minimal management is required, but it does not provide the level of control requested.
Option B:
Create a customer-managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
- SSE-KMS with a customer-managed key (CMK) in AWS KMS allows full control over the encryption keys. The company can create, rotate, and disable keys easily using the AWS KMS interface. This option also provides audit logging through AWS CloudTrail.
- Why this is ideal: This option directly aligns with the company’s needs for control and ease of management. The company retains full control over the encryption keys, and AWS KMS provides minimal effort for key manageme...
Author: Julian · Last updated Apr 16, 2026
A company wants to back up its on-premises virtual machines (VMs) to AWS. The company's backup solution exports on-premises backups to an Amazon S3 bucket as objects. The S3 backups must be retained for 30 days and must be automatical...
Let's break down the requirements and evaluate each option.
Key Requirements:
1. Backup S3 objects should be retained for 30 days: The backups must be kept for 30 days.
2. Backups must be automatically deleted after 30 days: After 30 days, the objects should be deleted automatically.
Option A: Create an S3 bucket that has S3 Object Lock enabled.
- S3 Object Lock is used to prevent objects from being deleted or overwritten for a defined retention period. While it ensures immutability of the objects, it is generally used for compliance or regulatory purposes where data cannot be modified or deleted during a retention period.
- Why it’s rejected: This option is not needed in this case because the company's requirement is simply to delete the objects automatically after 30 days, not to prevent deletion for regulatory compliance.
Option B: Create an S3 bucket that has object versioning enabled.
- S3 versioning allows you to keep multiple versions of an object in a bucket. While this is useful for recovering previous versions, it is not necessary for automatic deletion of objects after 30 days.
- Why it’s rejected: Versioning does not directly address the requirement of automatically deleting objects after 30 days. The objects can be retained as versions, but it adds complexity and is unnecessary for this particular requirement.
Option C: Configure a default retention period of 30 days for the objects.
- Default retention period generally refers to configurations in specific services like Amazon S3 Object Lock or certain compliance modes. However, it is not directly applicable to the requirement to automatically delete objects after 30 days unless S3 Object Lock is in place.
- Why it’s rejected: This option would only apply if you were using S3 Object Lock, but since the requirement is to delete objects after 30 days, a lifecycle policy is the better...
Author: SolarFalcon11 · Last updated Apr 16, 2026
A solutions architect needs to copy files from an Amazon S3 bucket to an Amazon Elastic File System (Amazon EFS) file system and another S3 bucket. The files must be copied continuously. New files are added to the original S3 bucket consistently. The copied files should be overwri...
Let's evaluate the given options based on the requirements and the most operationally efficient solution for copying files from Amazon S3 to both Amazon EFS and another S3 bucket with minimal overhead.
Key Requirements:
1. Continuous copying: The files in the source S3 bucket need to be copied continuously as new files are added.
2. Overwrite only if the source file changes: Files should be overwritten only if they have changed.
3. Minimal operational overhead: The solution should require minimal manual intervention and operational management.
Option A: Create an AWS DataSync location for both the destination S3 bucket and the EFS file system. Create a task for the destination S3 bucket and the EFS file system. Set the transfer mode to transfer only data that has changed.
- AWS DataSync is a fully managed service that automates data transfer between on-premises storage and AWS services (including S3 and EFS). The transfer mode of "only data that has changed" ensures that only modified or newly added files are transferred, addressing the requirement to avoid unnecessary overwriting.
- Why this is selected: DataSync is specifically designed for this type of use case where files need to be transferred efficiently and continuously, with minimal overhead. It also provides the benefit of automatic management and scalability.
- Why other options are rejected: This is the most efficient and scalable solution. DataSync abstracts away manual work and handles incremental transfers.
Option B: Create an AWS Lambda function. Mount the file system to the function. Set up an S3 event notification to invoke the function when files are created and changed in Amazon S3. Configure the function to copy files to the file system and the destination S3 bucket.
- AWS Lambda can be used to trigger file copying with S3 events (e.g., when new or modified files are uploaded to the source S3 bucket). However, mounting EFS to Lambda for file operations can be complex and may introduce performance bottlenecks, especially with large files. Additionally, Lambda’s limitations o...
Author: Kai · Last updated Apr 16, 2026
A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotatio...
To meet the requirements of ensuring that all data is encrypted at rest using AWS Key Management Service (AWS KMS) and having control over key rotation, let's evaluate each option based on key factors:
Option A: Create a customer managed key. Use the key to encrypt the EBS volumes.
- Pros:
- You have full control over the key, including the ability to enable automatic key rotation (which is important for compliance and security).
- You can configure access policies and permissions to define who can use and manage the key.
- Cons:
- Operational overhead: You are responsible for the management of the key, including setting up key policies, monitoring usage, and ensuring key rotation.
- This option requires more manual work compared to using AWS managed keys or AWS-owned keys.
Best used when: Full control over the key is needed, including the ability to control key rotation and key policies. This is suitable for organizations with strict security or compliance requirements.
Option B: Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.
- Pros:
- AWS managed keys are fully managed by AWS, which reduces operational overhead.
- Automatic key rotation is enabled by default for AWS managed keys, so you don't need to manually rotate keys.
- Cons:
- Limited control over the key. You cannot customize key policies, and you cannot control key rotation beyond the AWS-defined settings.
- While AWS takes care of the key management and rotation, you don’t have full flexibility in defining who can access and manage the key.
Best used when: You want encryption managed by AWS with minimal operational overhead. However, this option doesn't provide full control over the key, especially when you need to implement customized key policies or rotation schedules.
Option C: Create an external KMS key with imported key material. Use the key to encrypt the EBS volume...
Author: Sam · Last updated Apr 16, 2026
A company needs a solution to enforce data encryption at rest on Amazon EC2 instances. The solution must automatically identify noncompliant resources and enforce compliance policies on findings.
...
Let's evaluate the options based on the requirements: enforcing data encryption at rest on Amazon EC2 instances and automatically identifying noncompliant resources with the least administrative overhead.
Option A: Use an IAM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate the detection and remediation of unencrypted EBS volumes.
- Pros:
- IAM policy ensures that users can only create encrypted EBS volumes, which enforces compliance at the creation level.
- AWS Config can monitor resources and detect noncompliant configurations (unencrypted EBS volumes).
- AWS Systems Manager Automation can automate remediation.
- Cons:
- There is some administrative overhead in setting up IAM policies and AWS Config rules, though AWS Config is a powerful and flexible tool.
- Systems Manager Automation requires configuring automation runbooks, adding some complexity.
Best used when: The primary goal is to enforce encryption at the time of creation and automate detection/remediation with AWS tools like Config and Systems Manager. This option requires a bit of setup but is effective and integrates with multiple AWS services.
Option B: Use AWS Key Management Service (AWS KMS) to manage access to encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Lambda and Amazon EventBridge to automate the detection and remediation of unencrypted EBS volumes.
- Pros:
- AWS KMS can control access to encrypted EBS volumes, ensuring that only encrypted volumes are used.
- Lambda and EventBridge can automate the detection and remediation of noncompliant EBS volumes based on real-time events.
- Cons:
- Using Lambda and EventBridge introduces some complexity, as it requires creating event rules, Lambda functions, and additional monitoring.
- AWS KMS does not directly enforce encryption on EBS volumes; it is more about managing key access.
- Administrative overhead might be higher compared to simpler AWS Config-based solutions.
Best used when: The focus is on automating the detection and remediation of unencrypted volumes with real-time responses via EventBridge. This solution is more custom...
Author: Emily · Last updated Apr 16, 2026
A company is migrating its multi-tier on-premises application to AWS. The application consists of a single-node MySQL database and a multi-node web tier. The company must minimize changes to the application during the migration. The company wants to improve appl...
To meet the requirements of minimizing changes during the migration while also improving application resiliency after the migration, we will evaluate each option based on the need to maintain existing application architecture and enhance application fault tolerance.
Option A: Migrate the web tier to Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer.
- Pros:
- Using Auto Scaling ensures that the web tier can scale based on demand, enhancing resiliency and performance during traffic spikes.
- The Application Load Balancer (ALB) distributes traffic across the EC2 instances, increasing availability and fault tolerance.
- This option minimizes changes to the application since EC2 instances maintain a similar environment to what the application is currently using on-premises (such as web servers running on VMs).
- Resiliency is improved as EC2 instances are automatically replaced or scaled when necessary, ensuring the web tier remains highly available.
- Cons:
- While this increases resiliency, some changes to the application may still be necessary, like configuring the application to run in an Auto Scaling environment.
Best used when: You want to migrate the web tier with minimal changes to the existing architecture and improve scalability and availability using Auto Scaling and a load balancer.
Option B: Migrate the database to Amazon EC2 instances in an Auto Scaling group behind a Network Load Balancer.
- Pros:
- EC2 instances in an Auto Scaling group provide scalability.
- The Network Load Balancer (NLB) can handle large amounts of traffic and maintain high availability for the database.
- Cons:
- Using EC2 for MySQL introduces more complexity in terms of database management, backup, patching, and availability. Even though Auto Scaling helps with scalability, managing MySQL on EC2 lacks the managed services' reliability and features.
- Resiliency is not as high as with fully managed database solutions, as MySQL on EC2 would require more operational overhead (e.g., setting up replication, failover).
Best used when: You need full control over the database configuration, but for most use cases, Amazon RDS provides a better solution for simplicity and resiliency.
Option C: Migrate the database to an Amazon RDS Multi-AZ deployment.
- Pros:
- Amazon RDS is a fully managed relational database service that significantly reduces the operational overhead of running databases.
- A Multi-AZ deployment automatically creates a synchronous stand...
Author: Ahmed97 · Last updated Apr 16, 2026
A company wants to migrate its web applications from on premises to AWS. The company is located close to the eu-central-1 Region. Because of regulations, the company cannot launch some of its applications in eu-central-1. The compan...
To meet the requirements of single-digit millisecond latency while also adhering to regulations that prevent certain applications from running in the eu-central-1 region, let's evaluate the options.
Option A: Deploy the applications in eu-central-1. Extend the company’s VPC from eu-central-1 to an edge location in Amazon CloudFront.
- Pros:
- CloudFront edge locations provide low-latency content delivery.
- CloudFront caches content closer to users, improving performance for static content.
- Cons:
- This option would not solve the problem of latency for dynamic application traffic, especially since the company is restricted from running some applications in the eu-central-1 region. Extending a VPC to an edge location would not help meet the regulatory requirements.
- CloudFront edge locations focus on content delivery but do not provide compute resources that may be required for the application to run.
Best used when: The focus is on caching and distributing static content, but it does not address the application's core requirements of running in a specific region while meeting latency and regulatory restrictions.
Option B: Deploy the applications in AWS Local Zones by extending the company’s VPC from eu-central-1 to the chosen Local Zone.
- Pros:
- AWS Local Zones are designed to provide low-latency access to AWS services for applications that require proximity to end users.
- This solution can provide the single-digit millisecond latency needed, and Local Zones can run workloads closer to the desired region while potentially meeting regulatory restrictions.
- Local Zones are typically located near major population centers, improving latency while keeping data in a specific region.
- Cons:
- Not all AWS services are available in Local Zones. However, Local Zones can provide good options for applications that require low latency.
- Local Zones are available in specific locations, so it’s important to verify whether the Local Zone can be deployed in a location that meets the regulatory requirements.
Best used when: You want to meet low-latency needs with applications that are not allowed to run in the primary region (such as eu-central-1) but can still meet regulatory and proximity requirements by using Local Zones.
Option C: Deploy the appl...
Author: CrimsonViperX · Last updated Apr 16, 2026
A company's ecommerce website has unpredictable traffic and uses AWS Lambda functions to directly access a private Amazon RDS for PostgreSQL DB instance. The company wants to maintain predictable database performance and ensure that the Lambda invocations do not ov...
Objective:
The company wants to maintain predictable database performance for its e-commerce website and ensure that the Lambda invocations do not overload the Amazon RDS for PostgreSQL database with too many connections.
Key challenges:
- Unpredictable traffic: Lambda functions may be invoked frequently and in unpredictable bursts.
- Database overload: Too many simultaneous connections from Lambda functions can overwhelm the RDS instance, especially since Lambda functions do not have a built-in mechanism to limit database connections.
Evaluation of options:
Option A: Point the client driver at an RDS custom endpoint. Deploy the Lambda functions inside a VPC.
- RDS Custom Endpoint: This refers to an endpoint for connecting to the database, but RDS custom endpoints do not offer the connection pooling and management features needed to handle varying traffic and prevent overload.
- VPC Deployment: Deploying Lambda inside a VPC allows it to connect securely to RDS, but without connection pooling, Lambda will still attempt to create a new connection to the database with each invocation, leading to potential connection overload.
- Why rejected: While it ensures security and VPC connectivity, no connection pooling is in place, meaning the traffic spikes could still lead to RDS overload.
Option B: Point the client driver at an RDS proxy endpoint. Deploy the Lambda functions inside a VPC.
- RDS Proxy: An Amazon RDS Proxy is specifically designed to manage database connections efficiently. It maintains a pool of connections to the RDS database, which helps mitigate the issue of too many connections being established from Lambda functions. It also helps reduce the time Lambda functions spend establishing connections to the database.
- VPC Deployment: Lambda functions must be deployed inside a VPC to access the RDS instance privately. Th...
Author: Harper · Last updated Apr 16, 2026
A company is creating an application. The company stores data from tests of the application in multiple on-premises locations.
The company needs to connect the on-premises locations to VPCs in an AWS Region in the AWS Cloud. The number of accounts and VPCs will increase during the next year. The network architecture must simplify the administr...
Solution Evaluation
To meet the company’s needs of connecting multiple on-premises locations to VPCs in AWS, the solution must:
- Simplify administration for adding new connections as the number of VPCs and accounts grows.
- Provide scalability to handle increasing numbers of connections over time.
- Minimize administrative overhead while ensuring flexibility and ease of management.
Let's evaluate each option based on these requirements:
A) Create a peering connection between the VPCs. Create a VPN connection between the VPCs and the on-premises locations.
- Peering connection: Peering connections are typically used for connecting VPCs in the same or different accounts. However, VPC peering connections are limited to a one-to-one connection model, which means that as the number of VPCs increases, the number of peering connections grows exponentially. This leads to complex management as the network expands.
- VPN connection: Creating a VPN connection between the VPCs and the on-premises locations requires setting up and managing VPN tunnels for each connection. This could be labor-intensive and less efficient when scaling the number of connections.
- Drawbacks: This option is not ideal for scaling because it requires manually configuring each peering and VPN connection. The overhead will increase as the number of VPCs and on-premises locations grows.
B) Launch an Amazon EC2 instance. On the instance, include VPN software that uses a VPN connection to connect all VPCs and on-premises locations.
- EC2 instance with VPN software: While this setup could potentially route traffic between VPCs and on-premises locations, it involves launching and maintaining EC2 instances with VPN software. This would create a single point of failure and require manual management of VPN configurations on each instance.
- Drawbacks: Using EC2 instances for this purpose adds significant complexity, operational overhead, and potential failure risks. Additionally, the scaling of this setup would be cumbersome as the number of VPCs increases.
C) Create a transit gateway. Create VPC attachments for the VPC connections. Create VPN attachments for the on-premises connections.
- Transit Gateway: A transit gateway acts as a central hub that connects multiple VPCs, as well as on-premises network...
Author: Vikram · Last updated Apr 16, 2026
A company that uses AWS needs a solution to predict the resources needed for manufacturing processes each month. The solution must use historical values that are currently stored in an Amazon S3 bucket. The company has no machine learning (ML) experience and wants to use a man...
Solution Evaluation
The company needs to predict the resources required for manufacturing processes each month using historical data stored in Amazon S3. The company has no machine learning (ML) experience and prefers a managed service to handle training and predictions.
Let's evaluate the options based on the requirements:
A) Deploy an Amazon SageMaker model. Create a SageMaker endpoint for inference.
- Amazon SageMaker: SageMaker is a powerful ML service that can be used for training and deployment, but it requires a certain level of ML expertise to use effectively. For a company with no ML experience, deploying and managing a SageMaker model could be complex, as it involves understanding model development, tuning, and managing inference endpoints.
- Drawbacks: While SageMaker is a fully managed service, it would require some ML knowledge to use effectively, and it might be overkill for the company's needs given their lack of experience and the specific requirement to make resource predictions without much complexity.
B) Use Amazon SageMaker to train a model by using the historical data in the S3 bucket.
- Amazon SageMaker: As mentioned above, SageMaker can train models on data stored in S3. However, it requires more technical know-how for the user to set up, train, and deploy a model, especially without ML expertise. The company would need to manage data preprocessing, feature engineering, model training, and tuning.
- Drawbacks: This option still requires a level of expertise that the company lacks, making it a less ideal choice for this scenario.
C) Configure an AWS Lambda function with a function URL that uses Amazon SageMaker endpoints to create predictions based on the inputs.
- AWS Lambda: Lambda can invoke SageMaker endpoints to make predictions, but this requires already having a SageMaker model deployed and set up for inference (as per option A). It also assumes the company would be comfortable managing and invoking Lambda functions and SageMaker endpoints, which still requires some expertise in both Lambda and SageMaker.
- Drawbacks: Similar to option A, this approach still requires expertise in setting up SageM...
Author: Ahmed97 · Last updated Apr 16, 2026
A company manages AWS accounts in AWS Organizations. AWS IAM Identity Center (AWS Single Sign-On) and AWS Control Tower are configured for the accounts. The company wants to manage multiple user permissions across all the accounts.
The permissions will be used by multiple IAM users and must be split between the developer and administrator teams. Each team requires different permissions...
Solution Evaluation
The company needs to manage user permissions across multiple AWS accounts in AWS Organizations. The solution should allow permissions to be split between developer and administrator teams, and the solution must scale easily as new users are hired. The key factor for success is minimizing operational overhead while ensuring the security and correctness of permissions.
A) Create individual users in IAM Identity Center for each account. Create separate developer and administrator groups in IAM Identity Center. Assign the users to the appropriate groups. Create a custom IAM policy for each group to set fine-grained permissions.
- IAM Identity Center: While using IAM Identity Center (AWS SSO) to create groups and assign users is a good idea, manually creating custom IAM policies for each group would require significant operational overhead, especially as the number of users and accounts grows. Managing fine-grained IAM policies requires careful oversight and frequent updates as permissions change.
- Drawbacks: This approach will lead to more manual effort in managing policies for each team, especially when new permissions need to be introduced or modified. It’s not the most efficient solution when scaling for many users and accounts.
B) Create individual users in IAM Identity Center for each account. Create separate developer and administrator groups in IAM Identity Center. Assign the users to the appropriate groups. Attach AWS managed IAM policies to each user as needed for fine-grained permissions.
- AWS Managed IAM Policies: Attaching AWS-managed IAM policies can reduce operational overhead compared to creating custom policies. However, this still involves assigning users to individual accounts manually and managing users across different accounts. AWS-managed policies might not provide the specific fine-grained control that the company requires for each team.
- Drawbacks: While using AWS managed policies simplifies the setup compared to custom policies, managing users individually per account and not leveraging scalable permission sets would still create significant overhead as the number of accounts and users grows.
C) Create individual users in IAM Identity Center. Create new developer and administrator groups in IAM Identity Center. Create new permission sets that include the appropriate IAM policies for each group. Assign the new groups to the appropriate accounts. Assign the new permission sets to the new groups. When new...
Author: ShadowWolf101 · Last updated Apr 16, 2026
A company wants to standardize its Amazon Elastic Block Store (Amazon EBS) volume encryption strategy. The company also wants to minimize the cost and configuration effort required to ope...
Solution Evaluation
The company wants to standardize its Amazon EBS volume encryption strategy while minimizing the cost and configuration effort required to check whether the EBS volumes are encrypted. Let's evaluate each solution based on these goals:
A) Write API calls to describe the EBS volumes and to confirm the EBS volumes are encrypted. Use Amazon EventBridge to schedule an AWS Lambda function to run the API calls.
- API Calls: Writing API calls to describe the EBS volumes and confirm encryption would require custom code. You would need to handle the logic for checking if volumes are encrypted and potentially take further actions if any are unencrypted.
- EventBridge and Lambda: Using EventBridge and Lambda introduces an operational overhead of maintaining the Lambda function, configuring the event schedule, and ensuring the Lambda function runs as expected.
- Drawbacks: While this solution is flexible, it adds complexity in terms of code maintenance, operational overhead, and potential debugging. Additionally, it doesn't fully automate the process in a declarative way.
B) Write API calls to describe the EBS volumes and to confirm the EBS volumes are encrypted. Run the API calls on an AWS Fargate task.
- Fargate Task: Running the API calls on an AWS Fargate task involves deploying containers, which is more complex compared to other options. Fargate provides a serverless environment for containers, but it introduces additional management and configuration complexity.
- Drawbacks: This solution introduces unnecessary complexity for a task that could be handled with simpler tools. Running Fargate tasks requires managing containerized applications and may increase operational overhead without providing any added benefit over simpler methods.
C) Create an AWS Identity and Access Management (IAM) policy that requires the use of tags on EBS volumes. Use AWS Cost Explorer to display resources ...
Author: Manish · Last updated Apr 16, 2026
A company regularly uploads GB-sized files to Amazon S3. After the company uploads the files, the company uses a fleet of Amazon EC2 Spot Instances to transcode the file format. The company needs to scale throughput when the company uploads data from the on-premises data center to Amazon S3 and wh...
Solution Evaluation
The company needs to optimize the throughput for uploading data to Amazon S3 and downloading it to EC2 Spot Instances for transcoding. Let's evaluate each solution option based on the key requirements of scaling throughput and improving file transfer efficiency.
A) Use the S3 bucket access point instead of accessing the S3 bucket directly.
- S3 Access Points: Access points are designed to simplify access management for shared data sets in S3. While useful for managing access to specific applications or teams, access points do not directly improve the throughput of file uploads or downloads.
- Drawbacks: Using S3 access points does not inherently scale the throughput or optimize the file transfer process. It mainly provides access control benefits rather than improving the speed of uploads or downloads.
- Not ideal: This solution does not directly address throughput concerns for uploading or downloading large files.
B) Upload the files into multiple S3 buckets.
- Multiple S3 Buckets: Uploading files to multiple S3 buckets could potentially balance the load for certain access patterns, but it doesn’t necessarily improve throughput during uploads or downloads. It could add complexity in managing the data across multiple buckets, and it would not provide a significant throughput improvement over using a single bucket.
- Drawbacks: While multiple buckets might help in certain scenarios (e.g., for separate applications or organizational purposes), it does not optimize the throughput for bulk data transfer operations. Managing data across multiple buckets can also add unnecessary complexity.
C) Use S3 multipart uploads.
- S3 Multipart Uploads: Multipart uploads allow large objects to be uploaded in parallel in smaller chunks, significantly improving upload throughput for large files. This method breaks the file into smaller parts and uploads them in parallel, increasing overall throughput and reducing the time taken for uploads.
- Benefits: This solution directly addresses the need to scale throughput during uploads, making it ideal for larg...
Author: Vikram · Last updated Apr 16, 2026
A solutions architect is designing a shared storage solution for a web application that is deployed across multiple Availability Zones. The web application runs on Amazon EC2 instances that are in an Auto Scaling group. The company plans to make frequent changes to the content. The solution must have str...
Analysis of Each Option:
A) Use AWS Storage Gateway Volume Gateway Internet Small Computer Systems Interface (iSCSI) block storage that is mounted to the individual EC2 instances.
- Explanation: The AWS Storage Gateway Volume Gateway is primarily designed to integrate on-premises environments with cloud storage, typically used for hybrid cloud solutions. It supports block-level storage (iSCSI), but this option doesn't fit well for EC2 instances in a highly available, auto-scaled environment that needs high-performance storage with instant data consistency across multiple Availability Zones.
- Reason Rejected: This solution doesn't provide the required strong consistency across EC2 instances in Auto Scaling groups. Volume Gateway is also more focused on hybrid-cloud storage solutions rather than real-time content updates.
- When can this be used: This could be used for hybrid cloud applications where local on-premises data needs to be integrated with cloud storage, not for auto-scaling web application content.
B) Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system on the individual EC2 instances.
- Explanation: Amazon EFS provides a shared file system that can be mounted across multiple EC2 instances in different Availability Zones, offering a managed, scalable solution for applications requiring a shared storage system. It supports strong consistency, meaning that once changes are made to the content, they are immediately visible to all EC2 instances.
- Why selected: EFS provides the necessary scalability, high availability across Availability Zones, and strong consistency, making it a good fit for web applications where frequent changes to content must be immediately visible to all instances.
- When can this be used: This is ideal for use cases where multiple EC2 instances in different Availability Zones need consistent access to a shared file system, such as web applications serving frequently updated content.
C) Create a shared Amazon Elastic Block Store (Amazon EBS) volume. Mount the EBS volume on the individual EC2 instances.
- Explanation: Amazon EBS volumes are designed to be attached to a single EC2 instance at a time, which means they cannot be shared simultaneously across multiple EC2 instances. This would create a bottleneck if multiple instances are trying to access the same content. While EBS offers high performance and strong consistency, the lack of shared access across multiple...
Author: Emma · Last updated Apr 16, 2026
A company is deploying an application in three AWS Regions using an Application Load Balancer. Amazon Route 53 will be used to distribute traffic between these Regions.
Which Route 53 configura...
Analysis of Each Option:
A) Create an A record with a latency policy.
- Explanation: Latency-based routing in Amazon Route 53 allows for directing traffic to the region with the lowest latency. This ensures that users are directed to the region that will give them the fastest response time. This is ideal for an application that spans multiple regions, as it can help improve performance by directing users to the nearest AWS region.
- Why selected: This is the most appropriate solution for high-performance routing when the application is deployed in multiple AWS Regions. The latency policy ensures that traffic is directed to the region with the least latency, which is a critical factor for performance.
- When can this be used: This is perfect for applications where minimizing latency and improving user experience are key requirements, especially when the application serves users globally and latency is a significant factor.
B) Create an A record with a geolocation policy.
- Explanation: A geolocation policy allows traffic to be routed based on the geographic location of the users. While this can be useful in some cases, it is not the best choice for performance optimization. It will direct users to a specific region based on their geographic location, but it doesn’t necessarily take into account the region with the lowest latency.
- Reason Rejected: This is not ideal for the most high-performing experience, as it may route users to a region that is geographically close but not the lowest in latency. Latency is a more critical factor for performance than geographic proximity.
- When can this be used: This would be useful if you need to route users based on their specific countries or continents, but it’s less effective when minim...
Author: IceDragon2023 · Last updated Apr 16, 2026
A company has a web application that includes an embedded NoSQL database. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone.
A recent increase in traffic requires the application to be highly avail...
Analysis of Each Option:
A) Replace the ALB with a Network Load Balancer. Maintain the embedded NoSQL database with its replication service on the EC2 instances.
- Explanation: The use of a Network Load Balancer (NLB) can handle a higher volume of traffic compared to an ALB, but it does not provide application-level routing features like an ALB. Replacing the ALB with an NLB may not offer significant benefits for a web application and would increase complexity. Additionally, maintaining an embedded NoSQL database with replication on EC2 instances is not an ideal solution in this scenario due to the operational overhead of managing replication and consistency across multiple EC2 instances.
- Reason Rejected: Managing the embedded NoSQL database replication manually on EC2 instances would involve significant operational overhead (e.g., ensuring data consistency, replication, failover handling), making this option less desirable than using a managed service.
- When can this be used: This option might be suitable for very specific use cases where the company has strong operational expertise with managing databases and requires an NLB for extremely high traffic.
B) Replace the ALB with a Network Load Balancer. Migrate the embedded NoSQL database to Amazon DynamoDB by using AWS Database Migration Service (AWS DMS).
- Explanation: Replacing the ALB with an NLB and migrating the NoSQL database to Amazon DynamoDB using AWS DMS could be a good option, as DynamoDB is a fully managed, highly available, and scalable NoSQL database with eventual consistency. DynamoDB is designed for such use cases, reducing operational overhead and ensuring high availability. However, like option A, using an NLB instead of an ALB doesn't provide significant value for an application that already has an ALB for HTTP/HTTPS traffic, as NLBs are more suited for network-level traffic.
- Reason Rejected: The main drawback here is the unnecessary complexity of switching to an NLB when an ALB would be better suited for handling web traffic (HTTP/HTTPS), which is more appropriate for the application use case. NLBs are more appropriate for non-HTTP protocols or extreme traffic volumes that need high throughput.
- When can this be used: This could be used when you need to migrate to DynamoDB but still need to manage the traffic routing at the network layer for specific, non-HTTP traffic.
C) Modify the Auto Scaling group to use EC2 instances across three Availability...
Author: Aria · Last updated Apr 16, 2026
A company is building a shopping application on AWS. The application offers a catalog that changes once each month and needs to scale with traffic volume. The company wants the lowest possible latency from the application. Data from each user's shopping cart needs to be highly available. User session data must be available even if t...
Analysis of Each Option:
A) Configure an Application Load Balancer to enable the sticky sessions feature (session affinity) for access to the catalog in Amazon Aurora.
- Explanation: Sticky sessions (session affinity) allow requests from the same user to be routed to the same EC2 instance in an Auto Scaling group, which could help with user session persistence. However, the sticky session feature of the Application Load Balancer does not guarantee that user shopping cart data will be highly available or persistent if the user disconnects and reconnects. Additionally, Amazon Aurora is a relational database that might not be the best fit for high-availability session data, especially given the need to persist shopping cart data.
- Reason Rejected: This solution doesn’t address the need for highly available, persistent session data. Aurora might be a good choice for a catalog, but sticky sessions only solve part of the problem (routing traffic), and they are not designed to ensure the availability of user session data across instances or after disconnection.
- When can this be used: This option might be used if the primary focus is on managing database connections for the catalog, but it does not fully address the session persistence and high availability requirements.
B) Configure Amazon ElastiCache for Redis to cache catalog data from Amazon DynamoDB and shopping cart data from the user's session.
- Explanation: Amazon ElastiCache for Redis is an excellent solution for caching session data, providing low-latency access to shopping cart data, and offering high availability with data replication across multiple Availability Zones. Redis also supports persistence, so if a user disconnects and reconnects, the session data can be retrieved seamlessly. For the catalog, caching data from DynamoDB in Redis can help with scaling the application and reducing latency when accessing frequently used catalog information.
- Why selected: This option addresses both low-latency requirements and the need for session data persistence. Redis is designed to handle high-throughput and low-latency operations and can be configured to persist session data. It also offers high availability, making it well-suited for the scenario where user session data must be available even if the user disconnects and reconnects.
- When can this be used: This is ideal when you need low-latency acc...
Author: Ryan · Last updated Apr 16, 2026
A company is building a microservices-based application that will be deployed on Amazon Elastic Kubernetes Service (Amazon EKS). The microservices will interact with each other. The company wants to ensure that the application is obs...
Analysis of Each Option:
A) Configure the application to use Amazon ElastiCache to reduce the number of requests that are sent to the microservices.
- Explanation: While Amazon ElastiCache is a powerful tool for improving application performance by caching frequently accessed data, it doesn't provide the observability needed to identify performance issues in the application. It helps in optimizing the performance by reducing direct load on the microservices, but it doesn't offer monitoring or tracing capabilities.
- Reason Rejected: This solution addresses performance optimization but not observability or tracing of interactions between microservices. The goal is to identify issues in real time, which ElastiCache does not provide.
- When can this be used: ElastiCache is ideal when you need to improve performance through caching, not for monitoring or observability purposes.
B) Configure Amazon CloudWatch Container Insights to collect metrics from the EKS clusters. Configure AWS X-Ray to trace the requests between the microservices.
- Explanation: Amazon CloudWatch Container Insights is a service that collects metrics, logs, and traces from containers running on EKS, providing deep insights into cluster performance, resource utilization, and application behavior. AWS X-Ray can be integrated with microservices to trace requests as they flow through the system, helping identify performance bottlenecks, latency issues, and errors.
- Why selected: This option is the most comprehensive solution for achieving observability. CloudWatch Container Insights provides monitoring at the container and cluster levels, while AWS X-Ray gives detailed traceability of requests across microservices, making it easy to diagnose performance issues. This combined approach ensures both metrics and traces are available for analysis.
- When can this be used: This solution is ideal for microservices-based applications running on EKS, where identifying performance issues, understanding bottlene...
Author: SolarFalcon11 · Last updated Apr 16, 2026
A company needs to provide customers with secure access to its data. The company processes customer data and stores the results in an Amazon S3 bucket.
All the data is subject to strong regulations and security requirements. The data must be encrypted at rest. Each customer must be able to access only thei...
To meet the requirements of encrypting customer data at rest, providing secure access to data only to the respective customer, and preventing employees from accessing the data, we need to carefully evaluate each option based on key factors such as encryption mechanisms, access control, and policy management.
Option A: Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the private certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
- Client-side encryption: While client-side encryption ensures that data is encrypted before it reaches Amazon S3, it can add complexity in terms of key management. The customer would be responsible for managing the encryption keys, and the company would not have direct access to the encrypted data.
- Certificate management: Using AWS ACM for client-side encryption is unconventional since ACM primarily handles SSL/TLS certificates, which are typically used for securing connections (e.g., HTTPS), not for encrypting the data stored in S3.
- IAM roles: The IAM policy applied to the certificate may limit access, but managing encryption and key access at this scale (with many customers) using certificates could become difficult.
Reason for rejection: The use of ACM for client-side encryption is not ideal for this scenario. It doesn't align well with the AWS best practices for securely storing encrypted data in S3. Additionally, managing certificates for encryption and access control for many customers would be complex.
Option B: Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In the S3 bucket policy, deny decryption of data for all principals except an IAM role that the customer provides.
- Server-side encryption: AWS KMS can manage keys for server-side encryption, making it easier to manage encryption at rest. The data is encrypted in S3 using a key stored and controlled by AWS KMS.
- S3 bucket policy: The S3 bucket policy could deny access to data to anyone except the customer's IAM role, ensuring that only the customer can access their own data. However, this option lacks granularity when it comes to controlling access at the KMS level.
...
Author: Rohan · Last updated Apr 16, 2026
A solutions architect creates a VPC that includes two public subnets and two private subnets. A corporate security mandate requires the solutions architect to launch all Amazon EC2 instances in a private subnet. However, when the solutions architect launches an EC2 instance that runs a web server on ports 80 and 443 in ...
To resolve the issue of no external internet traffic connecting to the EC2 instance in a private subnet, we need to understand the architecture and security considerations.
Key Factors:
1. Private Subnets: EC2 instances in private subnets cannot directly communicate with the internet unless routed through a service like a NAT Gateway or via a Load Balancer in a public subnet.
2. Internet Access for Web Server: The requirement is to expose a web server running on ports 80 and 443 to the external internet. This means the EC2 instance must be reachable from the internet, but it’s in a private subnet, which complicates direct access.
3. Security and Best Practices: The solutions should comply with the mandate to keep instances in private subnets while allowing necessary public access (e.g., from the internet).
Option A: Attach the EC2 instance to an Auto Scaling group in a private subnet. Ensure that the DNS record for the website resolves to the Auto Scaling group identifier.
- Analysis: While an Auto Scaling group provides scalability, it does not directly address the need for public access to the web server. It only helps with managing multiple instances, but the core issue is that the private subnet doesn't allow external traffic to reach the EC2 instance.
- Reason for rejection: The Auto Scaling group itself doesn't enable internet access for instances in private subnets. The issue isn't scaling but public accessibility.
Option B: Provision an internet-facing Application Load Balancer (ALB) in a public subnet. Add the EC2 instance to the target group that is associated with the ALB. Ensure that the DNS record for the website resolves to the ALB.
- Analysis: An Application Load Balancer (ALB) in a public subnet can route external traffic to EC2 instances in private subnets. This is a common architecture to provide secure access to web servers in private subnets. The ALB would be internet-facing, and it would forward traffic to the EC2 instance running in the private sub...
Author: Sofia · Last updated Apr 16, 2026
A company is deploying a new application to Amazon Elastic Kubernetes Service (Amazon EKS) with an AWS Fargate cluster. The application needs a storage solution for data persistence. The solution must be highly available and fault tolerant. The solution also must be shared betw...
To determine the best solution for a highly available, fault-tolerant, and easily managed persistent storage for a containerized application running on AWS Fargate within Amazon EKS, we need to consider several factors, such as availability, fault tolerance, ease of sharing data between containers, and operational overhead.
Key Considerations:
- Highly Available: The storage should be accessible from multiple containers and available across different availability zones.
- Fault Tolerant: The solution should provide redundancy to avoid a single point of failure.
- Shared Storage: Multiple application containers need to access the same persistent storage, which implies the need for a shared storage solution.
- Operational Overhead: The solution should be easy to manage and integrate with EKS with minimal operational complexity.
Option A: Create Amazon Elastic Block Store (Amazon EBS) volumes in the same Availability Zones where EKS worker nodes are placed. Register the volumes in a StorageClass object on an EKS cluster. Use EBS Multi-Attach to share the data between containers.
- Analysis: Amazon EBS volumes are highly available and durable within a single Availability Zone. However, they are generally attached to a single EC2 instance at a time, and using EBS Multi-Attach to share the volume between containers can introduce complexity. EBS volumes cannot be easily shared across multiple Availability Zones, and managing EBS Multi-Attach can increase operational overhead. Additionally, EBS volumes are not ideal for sharing storage across multiple containers in a Kubernetes cluster, as they are intended for individual EC2 instances.
- Reason for rejection: While EBS offers high availability within a single Availability Zone, its inability to seamlessly scale across multiple availability zones and the added complexity of using Multi-Attach make it a less suitable choice for shared, highly available storage.
Option B: Create an Amazon Elastic File System (Amazon EFS) file system. Register the file system in a StorageClass object on an EKS cluster. Use the same file system for all containers.
- Analysis: Amazon EFS provides a highly available and fault-tolerant managed file system that can be shared between multiple containers. EFS is accessible across mul...
Author: Isabella1 · Last updated Apr 16, 2026
A company has an application that uses Docker containers in its local data center. The application runs on a container host that stores persistent data in a volume on the host. The container instances use the stored persistent data.
The company wants to move the application to a fully managed service...
To move the application to a fully managed service, we need to address several key requirements:
Key Requirements:
1. No server or storage management: The company does not want to manage infrastructure, meaning the solution should be fully managed with minimal operational overhead.
2. Persistent storage for containers: The application uses persistent data in Docker containers, so the solution must support container-based persistent storage.
3. Fully managed service: The company wants to avoid managing servers, implying the need for a fully managed container service.
Option A: Use Amazon Elastic Kubernetes Service (Amazon EKS) with self-managed nodes. Create an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 instance. Use the EBS volume as a persistent volume mounted in the containers.
- Analysis: Amazon EKS is a managed Kubernetes service, but using self-managed nodes implies that the company would still be responsible for managing the underlying EC2 instances and storage (EBS volumes). This does not meet the requirement of avoiding infrastructure management. While Kubernetes can manage persistent volumes, the operational overhead of managing EC2 instances and EBS volumes is still present.
- Reason for rejection: The company is looking for a solution with no infrastructure management, and self-managed EC2 instances don't meet that need.
Option B: Use Amazon Elastic Container Service (Amazon ECS) with an AWS Fargate launch type. Create an Amazon Elastic File System (Amazon EFS) volume. Add the EFS volume as a persistent storage volume mounted in the containers.
- Analysis: Amazon ECS with AWS Fargate is a fully managed container service that abstracts the underlying infrastructure, so no EC2 instances or servers need to be managed. Amazon EFS is a fully managed file storage service that can be shared between...
Author: Noah · Last updated Apr 16, 2026
A gaming company wants to launch a new internet-facing application in multiple AWS Regions. The application will use the TCP and UDP protocols for communication. The company needs to provide high availability and minimum latency for global users.
...
To meet the company's requirements of high availability, low latency, and global distribution for their internet-facing application, we need to consider the following:
Key Considerations:
- Global Traffic Routing: The solution must distribute traffic to the closest AWS region to minimize latency.
- High Availability: The application needs to be highly available across multiple regions.
- TCP and UDP Support: The application uses both TCP and UDP protocols for communication, so the chosen services must support both.
Option A: Create internal Network Load Balancers in front of the application in each Region.
- Analysis: Internal Network Load Balancers (NLBs) are used for routing traffic within a Virtual Private Cloud (VPC), not for internet-facing applications. Therefore, they are not suitable for distributing global internet traffic.
- Reason for rejection: Since the application is internet-facing, internal NLBs are not appropriate for this use case.
Option B: Create external Application Load Balancers in front of the application in each Region.
- Analysis: Application Load Balancers (ALBs) are designed for HTTP/HTTPS traffic and operate at the application layer (Layer 7), which is great for web-based applications. However, they do not support UDP and TCP protocols, which the application requires.
- Reason for rejection: ALBs are not suitable for this use case because they do not support UDP and TCP, which the gaming application needs.
Option C: Create an AWS Global Accelerator accelerator to route traffic to the load balancers in each Region.
- Analysis: AWS Global Accelerator is designed to improve the availability and performance of global applications by r...
Author: Benjamin · Last updated Apr 16, 2026
A city has deployed a web application running on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's users have reported sporadic performance, which appears to be related to DDoS attacks originating from random IP addresses. The city needs a solution that requir...
To address the problem of sporadic performance due to DDoS attacks, let's review the options:
Option A: Enable an AWS WAF web ACL on the ALB, and configure rules to block traffic from unknown sources
- Pros: AWS WAF (Web Application Firewall) is designed specifically for filtering web traffic and can be applied directly to the ALB. By setting up a Web ACL (Access Control List), you can create rules to block unwanted or malicious traffic, which is likely coming from random IP addresses in this case. This solution is relatively easy to set up with minimal configuration changes and provides visibility into the traffic, which aids in creating an audit trail.
- Cons: AWS WAF does not natively provide DDoS protection, but can be a part of the solution for filtering unwanted traffic.
- Conclusion: Suitable for the requirement to block DDoS traffic and provide visibility with a minimal setup, but not the most robust DDoS protection.
Option B: Subscribe to Amazon Inspector. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service
- Pros: Amazon Inspector is a service for automated security assessments and identifying vulnerabilities. AWS DDoS Response Team (DRT) offers expert guidance in mitigating DDoS attacks.
- Cons: This option focuses on security vulnerability scanning and does not directly address DDoS protection for web applications. The DRT’s involvement might be helpful in more severe or large-scale attacks but does not provide an immediate solution for the sporadic performance problems.
- Conclusion: Not a fitting option since it focuses on security assessments rather than immediate DDoS mitigation.
Option C: Subscribe to AWS Shield Advanced. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service
- Pros: AWS Shield Advanced ...
Author: StarryEagle42 · Last updated Apr 16, 2026
A company copies 200 TB of data from a recent ocean survey onto AWS Snowball Edge Storage Optimized devices. The company has a high performance computing (HPC) cluster that is hosted on AWS to look for oil and gas deposits. A solutions architect must provide the cluster with consistent sub-millisecond latency and high-throughput access to the ...
To address the scenario of providing the HPC cluster with consistent sub-millisecond latency and high-throughput access to data on the Snowball Edge Storage Optimized devices, let's evaluate each option:
Option A: Create an Amazon S3 bucket. Import the data into the S3 bucket. Configure an AWS Storage Gateway file gateway to use the S3 bucket. Access the file gateway from the HPC cluster instances.
- Pros: AWS Storage Gateway can provide on-premises access to cloud storage via file protocols. It can be useful for hybrid environments where you need to access S3 data as if it were a local file system.
- Cons: This option relies on Amazon S3, which is primarily optimized for durability and availability rather than high-performance computing. The file gateway doesn't provide sub-millisecond latency and high throughput for HPC workloads. It would introduce additional overhead for file system access.
- Conclusion: While it provides an easy way to access S3 storage, it doesn't meet the sub-millisecond latency and high-throughput requirements for HPC clusters. Not suitable for this specific scenario.
Option B: Create an Amazon S3 bucket. Import the data into the S3 bucket. Configure an Amazon FSx for Lustre file system, and integrate it with the S3 bucket. Access the FSx for Lustre file system from the HPC cluster instances.
- Pros: Amazon FSx for Lustre is a high-performance file system designed for workloads like HPC that require low-latency and high-throughput access. It integrates well with S3, enabling fast data access with seamless scaling.
- Cons: The initial data importation from the Snowball Edge devices would first require transferring data to S3. Although FSx for Lustre offers excellent performance, this would add an extra step of uploading the data to S3 before it is available for access, which could introduce additional time compared to direct import.
- Conclusion: This option is feasible but involves an extra step (S3 import) before accessing the data, which migh...
Author: Grace · Last updated Apr 16, 2026
A company has NFS servers in an on-premises data center that need to periodically back up small amounts of data to Amazon S3.
Which so...
To determine the most cost-effective and suitable solution for periodically backing up small amounts of data from on-premises NFS servers to Amazon S3, let's evaluate each option:
Option A: Set up AWS Glue to copy the data from the on-premises servers to Amazon S3
- Pros: AWS Glue is typically used for extracting, transforming, and loading (ETL) large datasets to and from data sources. It can connect to various data sources, including S3.
- Cons: AWS Glue is designed for more complex ETL processes rather than simple file backups. It's also overkill for periodically backing up small amounts of data. Glue's cost structure is based on data processing and can be more expensive for a simple task, as it is generally designed for larger, more complex workloads.
- Conclusion: This is not a cost-effective solution for periodic backups of small amounts of data due to its complexity and associated costs.
Option B: Set up an AWS DataSync agent on the on-premises servers, and sync the data to Amazon S3
- Pros: AWS DataSync is optimized for large-scale data transfers, offering fast, secure, and efficient file transfer between on-premises storage and AWS services like S3. It is designed for use cases where there is a need to sync data to S3, and it handles various data types efficiently.
- Cons: AWS DataSync is generally more cost-effective for large-scale, regular, or high-volume transfers, but it can still be cost-effective for small amounts of data. However, it may incur costs based on the volume of data transferred, and setting it up might involve some complexity if the data transfer needs are minimal.
- Conclusion: While AWS DataSync is a good solution, it might be sligh...
Author: ElectricLionX · Last updated Apr 16, 2026
An online video game company must maintain ultra-low latency for its game servers. The game servers run on Amazon EC2 instances. The company needs a solution that can handle millions of UDP internet traffic r...
Let's evaluate the options to meet the company's requirement for handling ultra-low latency and millions of UDP traffic requests each second for game servers running on Amazon EC2 instances.
Option A: Configure an Application Load Balancer with the required protocol and ports for the internet traffic. Specify the EC2 instances as the targets.
- Pros: Application Load Balancers (ALB) are designed for HTTP/HTTPS traffic, making them suitable for web applications. They offer intelligent routing and are highly scalable.
- Cons: ALBs are not optimized for UDP traffic. ALBs only support HTTP, HTTPS, and WebSocket protocols. Therefore, they cannot handle UDP traffic, which is crucial for online video games.
- Conclusion: This option is not suitable because it cannot handle UDP traffic, which is essential for game server performance.
Option B: Configure a Gateway Load Balancer for the internet traffic. Specify the EC2 instances as the targets.
- Pros: A Gateway Load Balancer is used for traffic management between virtual appliances like firewalls, proxies, and other services in your VPC. It is suitable for more complex network-level traffic.
- Cons: Gateway Load Balancers are not designed to handle UDP traffic at the scale required for game servers. They are better suited for use cases that require traffic inspection or packet-level inspection rather than general-purpose load balancing for UDP.
- Conclusion: This option is not ideal for handling millions of UDP traffic requests for gaming, as it's not optimized for that kind of use.
Option C: Configure a Network Load Balancer with the required p...
Author: VioletCheetah55 · Last updated Apr 16, 2026
A company runs a three-tier application in a VPC. The database tier uses an Amazon RDS for MySQL DB instance.
The company plans to migrate the RDS for MySQL DB instance to an Amazon Aurora PostgreSQL DB cluster. The company needs a solution that replicates the data changes that ...
To meet the requirements of migrating data from an Amazon RDS for MySQL DB instance to an Amazon Aurora PostgreSQL DB cluster, and ensuring data changes are replicated during the migration, let's evaluate the options:
Option A: Use AWS Database Migration Service (AWS DMS) Schema Conversion to transform the database objects.
- Pros: AWS DMS can be used to migrate the data from MySQL to PostgreSQL and handle schema conversion. Schema conversion helps translate the MySQL schema into the appropriate PostgreSQL schema format, including changes in data types, indexes, and constraints.
- Cons: While AWS DMS can help with schema conversion, it is not sufficient on its own for migrating the data during the process. It is just one part of the migration process.
- Conclusion: This step is necessary for the schema transformation but needs to be paired with other migration tasks for data replication and migration.
Option B: Use AWS Database Migration Service (AWS DMS) Schema Conversion to create an Aurora PostgreSQL read replica on the RDS for MySQL DB instance.
- Pros: AWS DMS can handle the data migration process, but it cannot create a read replica of an Aurora PostgreSQL DB cluster from an RDS for MySQL DB instance directly. Aurora PostgreSQL cannot be a read replica of MySQL, so this approach is not feasible.
- Cons: There is no support for creating an Aurora PostgreSQL read replica from an RDS for MySQL DB instance. Aurora MySQL supports read replicas for MySQL, but Aurora PostgreSQL does not support MySQL as a source for replication.
- Conclusion: This is not a valid solution because read replicas between MySQL and PostgreSQL are not supported.
Option C: Configure an Aurora MySQL read replica for the RDS for MySQL DB instance.
- Pros: This option involves creating an Aurora MySQL read replica from the MySQL database. However, this is only useful if the company...
Author: Ishaan · Last updated Apr 16, 2026
A company hosts a database that runs on an Amazon RDS instance that is deployed to multiple Availability Zones. The company periodically runs a script against the database to report new entries that are added to the database. The script that runs against the database negatively affects the performance of a critical application. The compan...
Evaluation of Each Option:
Option A: Add functionality to the script to identify the instance that has the fewest active connections. Configure the script to read from that instance to report the total new entries.
- Reasoning:
- This option introduces additional complexity by requiring the script to monitor multiple database instances and choose the one with the least load. While it may reduce competition for resources on the busiest instance, it still requires the script to run against a primary instance (or one with fewer active connections), which could still impact the performance of the critical application.
- Operational Overhead: This adds a layer of logic to the script, increasing its complexity and making maintenance harder.
- Rejection Reasoning: This approach doesn't address the root issue (performance impact on the critical application) effectively and increases the complexity of the solution with minimal gain.
Option B: Create a read replica of the database. Configure the script to query only the read replica to report the total new entries.
- Reasoning:
- By creating a read replica, you offload the query traffic from the primary instance, ensuring that the performance of the critical application running on the primary instance isn't negatively impacted.
- Operational Overhead: Minimal – Amazon RDS handles replication automatically, and no additional manual intervention is required once the read replica is set up.
- Cost: The cost of the read replica depends on the instance type and region, but it's typically lower than running a separate database instance.
- Effectiveness: This option minimizes operational overhead while effectively offloading the query work from the primary instance, ensuring that the critical application performance remains unaffected.
- Why it’s optimal: Read replicas are designed specifically to handle read-heavy workloads and can significantly improve application performance when multiple queries need to be executed without overloading the primary database. Minimal operational overhead and low cost make this the most suitable option.
Option C: Instruct the development team to manually export the new entries for the day in the database at the end of each day....
Author: Lucas · Last updated Apr 16, 2026
A company is using an Application Load Balancer (ALB) to present its application to the internet. The company finds abnormal traffic access patterns across the application. A solutions architect needs to improve visibility into the infrastructure to help the company under...
Evaluation of Each Option:
Option A: Create a table in Amazon Athena for AWS CloudTrail logs. Create a query for the relevant information.
- Reasoning:
- CloudTrail logs capture API calls made to AWS services, which is useful for auditing and security-related events, but it does not capture the detailed traffic access patterns of an Application Load Balancer (ALB). ALB traffic logs (such as IP addresses, request paths, and response times) are not stored in CloudTrail.
- Operational Overhead: Medium – Setting up Athena and creating queries for CloudTrail logs is straightforward, but it won't provide the required information regarding the traffic patterns related to the ALB.
- Effectiveness: Not effective in capturing the traffic access patterns for ALB. This option would not meet the requirement.
- Rejection Reasoning: CloudTrail logs don't capture the necessary traffic access details of ALB, so this option is not suitable.
Option B: Enable ALB access logging to Amazon S3. Create a table in Amazon Athena, and query the logs.
- Reasoning:
- ALB access logs provide detailed information about requests that are sent to the load balancer, such as client IP addresses, requested URLs, response codes, latencies, etc. These logs are stored in Amazon S3, which can be directly queried using Amazon Athena.
- Operational Overhead: Low – Enabling access logging on the ALB is a simple configuration change. Once logs are in S3, querying them via Athena is efficient and provides the required visibility without manual intervention.
- Effectiveness: This solution directly meets the requirement by providing a scalable, queryable log of traffic access patterns. It’s automated and easy to use for querying abnormal traffic patterns.
- Why it’s optimal: This option provides direct visibility into traffic patterns, and Athena allows for easy querying without manually processing raw log files. It's a minimal-effort and highly effective solution.
Option C: Enable ALB access logging to Amazon S3. Open e...
Author: Sophia Clark · Last updated Apr 16, 2026
A company wants to use NAT gateways in its AWS environment. The company's Amazon EC2 instances in private subnets must be able to connect to the public internet th...
Evaluation of Each Option:
Option A: Create public NAT gateways in the same private subnets as the EC2 instances.
- Reasoning:
- A NAT gateway must be in a public subnet to allow it to route traffic to the internet. Private subnets don't have a route to the internet by default, which makes placing a NAT gateway in a private subnet unfeasible for allowing internet access.
- Operational Overhead: High – Not a valid solution, as NAT gateways cannot function in private subnets. This would lead to configuration issues.
- Rejection Reasoning: NAT gateways must be placed in a public subnet to be able to route internet traffic. This option is invalid.
Option B: Create private NAT gateways in the same private subnets as the EC2 instances.
- Reasoning:
- The term "private NAT gateway" is not valid in AWS terminology. NAT gateways must be placed in public subnets to route traffic to and from the internet. Even if a NAT device were in a private subnet, it would still be unable to route traffic to the internet.
- Operational Overhead: Not feasible because private subnets cannot have NAT gateways, as these require internet connectivity, which private subnets lack.
- Rejection Reasoning: This option is not valid because there is no such thing as a "private NAT gateway" in AWS, and NAT gateways must be in a public subnet.
Option C: Create public NAT gateways in public subnets in the same VPCs as the EC2 instances.
- Reasoning:
- This is the correct setup. NAT gateways should be placed in public subnets, which have a route to the internet through an Internet Gateway. EC2 instances in private subnets can use these public NAT gateways to access the internet for tasks like software updates or accessing e...
Author: Siddharth · Last updated Apr 16, 2026
A company has an organization in AWS Organizations. The company runs Amazon EC2 instances across four AWS accounts in the root organizational unit (OU). There are three nonproduction accounts and one production account. The company wants to prohibit users from launching EC2 instances of a certain size in the nonproduction accounts. The company has created a service contro...
Evaluation of Each Option:
Option A: Attach the SCP to the root OU for the organization.
- Reasoning:
- Attaching the SCP to the root OU will affect all accounts in the organization, including both production and nonproduction accounts. This means that the SCP will apply universally to all accounts within the organization.
- Operational Overhead: High – The requirement is to apply the SCP to nonproduction accounts only. Applying it at the root level would restrict EC2 instance launching in both production and nonproduction accounts, which is not the desired outcome.
- Effectiveness: Not optimal because it affects the production account, which should not be restricted.
- Rejection Reasoning: This option is not suitable because it would inadvertently restrict EC2 instance launching in the production account as well.
Option B: Attach the SCP to the three nonproduction Organizations member accounts.
- Reasoning:
- This approach targets the three nonproduction accounts directly, applying the SCP only to those accounts that require the restriction.
- Operational Overhead: Medium – This is a valid approach, but it requires applying the SCP to each nonproduction account individually, which could become cumbersome if the number of accounts grows.
- Effectiveness: Effective in restricting the EC2 instance types in the nonproduction accounts without affecting the production account.
- Why it’s optimal: This solution directly applies the SCP to the relevant nonproduction accounts and does not impact the production account. It's effective, but could be less scalable if more accounts are added in the future.
Option C: Attach the SCP to the Organizations management account.
- Reasoning:
- Attaching the SCP to the management account would not meet the requirement because the management account typically manages the organization, and SCPs attached here don't affect the individual member accounts directly. SCPs should be applied to the organizational units (OUs) or individual accounts.
- Operational Overhead: High – Misapplication of SCPs at the management account level wouldn't restrict EC2 instance launches in specific member accounts.
- Effectiveness: Ineffective – This would not target the correct accounts as SCPs are generally i...
Author: CrystalWolfX · Last updated Apr 16, 2026
A company's website hosted on Amazon EC2 instances processes classified data stored in Amazon S3. Due to security concerns, the company requires a private and secure connection betwe...
Evaluation of Each Option:
Option A: Set up S3 bucket policies to allow access from a VPC endpoint.
- Reasoning:
- Amazon VPC endpoints allow secure, private communication between resources in a VPC and supported AWS services like S3, without needing to go over the public internet. This ensures that traffic between the EC2 instances and S3 remains private and secure, which meets the requirement for a private and secure connection.
- Operational Overhead: Low – Configuring a VPC endpoint is a straightforward process, and it does not involve managing additional credentials or networking complexity.
- Effectiveness: Very effective – This solution ensures private, secure communication between EC2 instances and S3, without any public internet exposure.
- Why it’s optimal: This option directly addresses the security and privacy concerns by ensuring all traffic between EC2 and S3 is kept within the AWS network using private connectivity.
Option B: Set up an IAM policy to grant read-write access to the S3 bucket.
- Reasoning:
- While setting up an IAM policy to grant read-write access is necessary to control permissions for EC2 instances accessing S3, it does not address the need for a private and secure connection. This solution focuses on access control rather than securing the connection itself.
- Operational Overhead: Medium – Setting up IAM policies is a standard practice, but it doesn't resolve the requirement for a private and secure connection.
- Effectiveness: Ineffective – IAM policies control what users and services can do, but they don’t ensure the traffic between EC2 and S3 is private and not traversing the public internet.
- Rejection Reasoning: This solution is necessary for access control but does not meet the requirement for a private connection.
Option C: Set up a NAT gateway to access resources outside the private subnet.
- Reasoning:
- A NAT gateway is used to provide internet access to res...
Author: Ming88 · Last updated Apr 16, 2026
An ecommerce company runs its application on AWS. The application uses an Amazon Aurora PostgreSQL cluster in Multi-AZ mode for the underlying database. During a recent promotional campaign, the application experienced heavy read load and write load. Users experienced timeout issues when they attempted to access the application.
A solutions architec...
To address the application’s scalability and high availability needs with the least downtime, let’s analyze the options based on key factors:
Key factors for consideration:
1. Scalability: The ability to handle high load and scale dynamically based on traffic.
2. High Availability: Ensuring that the system remains available even in the event of failures.
3. Minimal Downtime: Since the problem arose during a promotional campaign, minimizing downtime is crucial.
4. Cost and Complexity: The solution should not introduce unnecessary complexity or costs.
Option A: Create an Amazon EventBridge rule that has the Aurora cluster as a source. Create an AWS Lambda function to log the state change events of the Aurora cluster. Add the Lambda function as a target for the EventBridge rule. Add additional reader nodes to fail over to.
- Analysis: This solution proposes adding reader nodes to the Aurora cluster and using an EventBridge rule with Lambda to log state changes. The additional reader nodes can help offload the read-heavy traffic during high-load periods, improving scalability and reducing the risk of timeouts due to excessive reads. However, this approach introduces additional complexity (EventBridge and Lambda) and would not directly address the root cause of write load or help with ensuring high availability in a failover situation.
- Rejected because: The EventBridge + Lambda setup adds complexity and does not directly tackle the write load issues, making it less effective in addressing the immediate problem during the campaign.
Option B: Modify the Aurora cluster and activate the zero-downtime restart (ZDR) feature. Use Database Activity Streams on the cluster to track the cluster status.
- Analysis: The Zero-Downtime Restart (ZDR) feature allows for restarts without application downtime, which can be helpful in some maintenance scenarios. However, ZDR is mainly useful for applying minor updates without taking the system offline, and does not directly help with high availability or scalability under load. The Database Activity Streams would only help monitor the status and wouldn’t actively mitigate load-related issues.
- Rejected because: ZDR only addresses restart scenarios and would not improve scalab...
