Amazon Exam Practice Questions - Page 40

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A large education company recently introduced Amazon Workspaces to provide access to internal applications across multiple universities. The company is storing user profiles on an Amazon FSx for Windows File Server file system. The file system is configured with a DNS alias and is connected to a self-managed Active Directory. As more users begin to use the Workspaces, login time increases to unacceptable levels. An investigation reveals a degradation in performance of the file system. The company created the file system on HDD storage with a...

To address the issue of increasing login times and performance degradation of the file system, the solution must focus on improving the storage type (from HDD to SSD) and throughput (from 16 MBps to 32 MBps). The main goal is to improve file system performance with the least administrative effort while minimizing user disruption. Let’s evaluate each option: Option A: Use AWS Backup to create a point-in-time backup of the file system. Restore the backup to a new FSx for Windows File Server file system. Select SSD as the storage type. Select 32 MBps as the throughput capacity. When the backup and restore process is completed, adjust the DNS alias accordingly. Delete the original file system. - Explanation: This option creates a backup of the current file system, restores it to a new file system with SSD storage and increased throughput, and then adjusts the DNS alias. - Advantages: - It allows you to maintain the current file system while the new system is being prepared. - The backup and restore approach ensures no data is lost during the transition. - Drawbacks: - Backup and restore introduces additional steps and potential delays. It also requires a new file system to be created, which can involve extra administrative tasks. - There could be some downtime required for DNS propagation and making the final switch, which could affect users. - Rejection reason: While this option works, it involves creating an entirely new file system and restoring data, which might require more administrative effort compared to simply modifying the existing file system. Option B: Disconnect users from the file system. In the Amazon FSx console, update the throughput capacity to 32 MBps. Update the storage type to SSD. Reconnect users to the file system. - Explanation: This option simply involves modifying the existing file system to increase throughput and change the storage type to SSD. - Advantages: - Minimal effort: You can make the changes directly on the existing file system without needing to create new file systems or restore backups. - No data migration: No need to move data to another file system, and the changes can be made during the maintenance window. - Drawbacks: - Requires disconnecting users, which could affect their work if the downtime is not scheduled properly. - There could be a slight risk of issues during the modification, though this is minimal. - Why this works: This is the simplest and most efficient option as it improves the performance of the existing file system without requiring the creation of a new file system. It mee...

Author: NightmareDragon2025 · Last updated May 13, 2026

A company hosts an application on AWS. The application reads and writes objects that are stored in a single Amazon S3 bucket. The company must modify the application to deploy the application in two AWS Reg...

To meet the requirements of deploying an application across two AWS Regions with minimal operational overhead while managing objects in an S3 bucket, we need to consider options that allow the application to seamlessly access and modify objects stored in a centralized location, while minimizing complexity and manual management. Let’s evaluate each option: Option A: Set up an Amazon CloudFront distribution with the S3 bucket as an origin. Deploy the application to a second Region. Modify the application to use the CloudFront distribution. Use AWS Global Accelerator to access the data in the S3 bucket. - Explanation: This approach uses CloudFront as a CDN to distribute the S3 bucket contents and AWS Global Accelerator to optimize global access. The application in each region accesses data via CloudFront, with Global Accelerator improving performance and availability. - Drawbacks: - This solution requires additional components such as CloudFront and Global Accelerator, which can add complexity to the architecture. - CloudFront caches content, which is ideal for read-heavy applications but may not be well-suited for applications that frequently write or modify data, as the cache might not immediately reflect changes made to the S3 bucket. - This option adds operational overhead to manage CloudFront and Global Accelerator configurations, especially for write-heavy workloads. - Rejection reason: While this option improves access performance, it introduces additional complexity and may not be the best solution for applications that require frequent writes to the S3 bucket. Option B: Create a new S3 bucket in a second Region. Set up bidirectional S3 Cross-Region Replication (CRR) between the original S3 bucket and the new S3 bucket. Configure an S3 Multi-Region Access Point that uses both S3 buckets. Deploy a modified application to both Regions. - Explanation: This solution involves using S3 Cross-Region Replication (CRR) to replicate objects between two S3 buckets across different Regions. Then, an S3 Multi-Region Access Point is configured to seamlessly access objects from both buckets in the application. - Advantages: - S3 Multi-Region Access Point simplifies managing objects across multiple Regions and provides seamless access to data from the closest bucket in each Region. - CRR ensures data consistency and replication between the S3 buckets across Regions. - This solution ensures the application can access and modify data in a high-availability manner with minimal operational effort. - Why this works: It provides a highly scalable and resilient solution with low operational overhead. The app...

Author: Vivaan · Last updated May 13, 2026

An online gaming company needs to rehost its gaming platform on AWS. The company's gaming application requires high performance computing (HPC) processing and has a leaderboard that changes frequently. An Ubuntu instance that is optimized for compute generation hosts a Node.js application for game display. Game state is tracked in an on-premis...

The gaming company needs to rehost its platform with a solution that supports high performance computing (HPC) and maintains the leaderboard efficiently. The solution should optimize application performance, particularly for the real-time leaderboard, which changes frequently. Option A: Create an Auto Scaling group of m5.large Amazon EC2 Spot Instances behind an Application Load Balancer. Use an Amazon ElastiCache for Redis cluster to maintain the leaderboard. - Explanation: - The m5.large EC2 instances are optimized for general-purpose compute, but they may not offer the best performance for HPC workloads, which require high computational power. - Spot instances are cost-effective but may be terminated by AWS, which could lead to potential disruptions in a gaming environment, especially when handling real-time game state. - ElastiCache for Redis is a good choice for a real-time, high-speed leaderboard since Redis is an in-memory data store designed for low-latency access. - Drawbacks: - Spot instances are not ideal for workloads requiring consistent, high performance due to potential instance terminations. - m5.large instances are not the best for HPC workloads. Option B: Create an Auto Scaling group of c5.large Amazon EC2 Spot Instances behind an Application Load Balancer. Use an Amazon OpenSearch Service cluster to maintain the leaderboard. - Explanation: - The c5.large EC2 instances are optimized for compute-intensive workloads (HPC), which is suitable for gaming applications requiring high performance. - OpenSearch Service is a search and analytics engine, more suited for full-text search, logging, and indexing rather than real-time data like a leaderboard. - Drawbacks: - OpenSearch is not designed for low-latency, in-memory key-value stores like Redis, making it a poor fit for the real-time leaderboard requirements. - The use of Spot instances still introduces potential risks due to termination, as discussed earlier. Option C: Create an Auto Scaling group of c5.large Amazon EC2 On-Demand Instances behind an Applic...

Author: Emma · Last updated May 13, 2026

A solutions architect is designing an application to accept timesheet entries from employees on their mobile devices. Timesheets will be submitted weekly, with most of the submissions occurring on Friday. The data must be stored in a format that allows payroll administrators to run monthly reports. The infrastructure must be highly available and scale to match t...

Reasoning: To meet the requirements of high availability, scalability, and minimal operational overhead, we should focus on services that handle scaling automatically, reduce management overhead, and integrate well with serverless or managed services. Additionally, considering the timing of the application’s peak load (high volume on Fridays), it is important to design a solution that can scale dynamically and efficiently. Analyzing each option: A) Deploy the application to Amazon EC2 On-Demand Instances with load balancing across multiple Availability Zones. Use scheduled Amazon EC2 Auto Scaling to add capacity before the high volume of submissions on Fridays. - Rejected: This option requires the management of EC2 instances, which involves more operational overhead (e.g., patching, scaling configurations, and instance monitoring). While it could handle scaling during peak times with Auto Scaling, it still requires more manual management compared to serverless options, which is not ideal for minimizing overhead. B) Deploy the application in a container using Amazon Elastic Container Service (Amazon ECS) with load balancing across multiple Availability Zones. Use scheduled Service Auto Scaling to add capacity before the high volume of submissions on Fridays. - Rejected: While ECS can scale and provides a flexible containerized approach, it still requires managing container orchestration. Containers can be useful for high traffic, but they still introduce overhead in terms of maintaining the containers, scaling configurations, and resource management. For reducing operational complexity, fully managed serverless options are better suited. C) Deploy the application front end to an Amazon S3 bucket served by Amazon CloudFront. Deploy the application backend using Amazon API Gateway with an AWS Lambda proxy integration. - Selected: This solution uses serverless componen...

Author: Abigail · Last updated May 13, 2026

A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company's security team also must receive an email notification every time there is an attempt to delete dat...

Reasoning: To meet the requirements of logging S3 activities, storing logs for 5 years, and notifying the security team when data is deleted, the solution needs to address the following: 1. Logging all object activities (specifically deletions) in S3. 2. Storing the logs for 5 years. 3. Providing notifications for deletion events. 4. Doing this in a cost-effective manner, minimizing both complexity and cost. Analyzing each option: A) Configure AWS CloudTrail to log S3 data events. - Selected: AWS CloudTrail logs S3 data events and is a great fit for logging object-level activity, such as the deletion of files. CloudTrail records these events, which can be kept for an extended period, and are easily searchable for auditing purposes. CloudTrail is also tightly integrated with other AWS services like Amazon SNS for notifications, making it both highly effective and cost-efficient for this use case. B) Configure S3 server access logging for the S3 bucket. - Rejected: While S3 server access logging records request-level activity (such as object creation, retrieval, and deletion), it does not capture detailed data-level events. For example, it may not log every individual delete request or the specific user responsible for the deletion. It's also not ideal for meeting the 5-year log retention requirement because it requires additional manual processes to ensure proper lifecycle management and storage of logs for that long. C) Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES). - Rejected: While SES can be used to send email notifications, it is not the best fit for triggering actions based on S3 events. S3 does not directly support sending object del...

Author: Ava · Last updated May 13, 2026

A company is building a hybrid environment that includes servers in an on-premises data center and in the AWS Cloud. The company has deployed Amazon EC2 instances in three VPCs. Each VPC is in a different AWS Region. The company has established an AWS Direct. Connect connection to the data center from the Region that is closest to the data center. The company needs the servers in the on-premises data center to have access to the EC2 instances in al...

Requirements: 1. Access to EC2 instances in three VPCs across different AWS Regions from the on-premises data center. 2. Access to AWS public services from the on-premises servers. 3. Cost minimization: The solution should be cost-effective. Let's evaluate each option based on these requirements. --- A) Create a Direct Connect gateway in the Region that is closest to the data center. Attach the Direct Connect connection to the Direct Connect gateway. Use the Direct Connect gateway to connect the VPCs in the other two Regions. - Analysis: - Direct Connect Gateway allows a single Direct Connect connection to be used across multiple VPCs, even if they are in different AWS Regions. This is the most efficient way to connect VPCs across regions without setting up multiple Direct Connect connections. - By using a Direct Connect gateway, the data center can connect to all three VPCs in different regions with one connection. - This approach avoids additional costs associated with creating separate Direct Connect connections to other regions. - Conclusion: This is a cost-effective solution and is ideal for cross-region connectivity without needing separate connections. --- B) Set up additional Direct Connect connections from the on-premises data center to the other two Regions. - Analysis: - Setting up additional Direct Connect connections for each region incurs additional costs for each new connection. - This would not be cost-effective because the company already has a Direct Connect connection in the closest region and can utilize a Direct Connect Gateway to connect to other regions. - Conclusion: This option is more expensive and less optimal than option A, as it involves extra connections and higher costs. --- C) Create a private VIF. Establish an AWS Site-to-Site VPN connection over the private VIF to the VPCs in the other two Regions. - Analysis: - A private Virtual Interface (VIF) provides a dedicated connection between the on-premises data center and AWS. However, Site-to-Site VPN is generally used for backup or additional secure communication over the internet and introduces additional costs and complexity for maintaining VPN tunnels. - A VPN over Direct Connect does not provide the same bandwidth or reliability as using Direct Connect itself, and usin...

Author: Grace · Last updated May 13, 2026

A company is using an organization in AWS Organizations to manage hundreds of AWS accounts. A solutions architect is working on a solution to provide baseline protection for the Open Web Application Security Project (OWASP) top 10 web application vulnerabilities. The solutions architect is using AWS WAF for all existing and new Amazon CloudFront distributions tha...

Reasoning: The company is looking to provide baseline protection for the OWASP Top 10 vulnerabilities across all its AWS accounts using AWS WAF in Amazon CloudFront distributions. The solution should be designed to automatically deploy and enforce these protections while minimizing operational overhead and ensuring consistency across the organization. Analyzing each option: A) Enable AWS Config in all accounts. - Rejected: AWS Config is useful for tracking configurations and compliance across AWS resources, but it is not directly related to deploying or enforcing WAF rules. While it can be used for auditing and ensuring compliance, it does not address the deployment of AWS WAF protections for the CloudFront distributions or mitigate web application vulnerabilities like the OWASP Top 10. B) Enable Amazon GuardDuty in all accounts. - Rejected: Amazon GuardDuty is a threat detection service that provides continuous monitoring for malicious or unauthorized activity in AWS accounts, but it does not directly address the OWASP Top 10 vulnerabilities or enforce WAF protections. GuardDuty can detect some types of malicious activity, but it is not specifically focused on application-layer vulnerabilities, which AWS WAF is designed to handle. C) Enable all features for the organization. - Rejected: This option is too vague and lacks specificity. Enabling "all features" in AWS Organizations could refer to a broad range of services that may not be directly related to deploying AWS WAF rules for CloudFront distributions. While enabling features could help with management, it doesn't specifically provide the baseline protection for web application vulnerabilities. D) Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions. - Selected: AWS Firewall Manager is a security management service that simplifies the administration of AWS WAF rul...

Author: Ella · Last updated May 13, 2026

A solutions architect has implemented a SAML 2.0 federated identity solution with their company's on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal, access to the AWS environment is granted. However, when test users attempt to authenticate through the federated identity web po...

Reasoning: In a federated identity setup using SAML 2.0 with AWS, the solution architect needs to ensure that all elements are configured correctly to allow authenticated access to AWS resources. The issue arises because the test users can authenticate successfully through the web portal, but they are unable to access the AWS environment. The solution architect needs to investigate several areas that could potentially be misconfigured. Below is the analysis of each option. Analyzing each option: A) The IAM user's permissions policy has allowed the use of SAML federation for that user. - Rejected: IAM users do not typically have specific permissions for SAML federation. Instead, the federation configuration relies on IAM roles that are assumed via the SAML assertion. The IAM role should trust the SAML identity provider (IdP), and the permissions are granted via those roles. The problem is likely not with the IAM user's permissions policy but with the configuration of the IAM roles or trust policies. B) The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal. - Selected: The IAM role's trust policy must correctly reference the SAML provider as a trusted entity. If the test users cannot access AWS, this could be due to a misconfiguration in the IAM role's trust policy, where the SAML provider is not properly set as the principal. The role should allow the federated user to assume it, and this is governed by the trust relationship between the IAM role and the SAML IdP. C) The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from IdP. - Selected: The AssumeRoleWithSAML API must be called correctly for the federation to work. This API requires the SAML assertion provided by the ...

Author: Emma · Last updated May 13, 2026

A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application's operations insert records into the database. The application currently stores credentials in a text-based configuration file. The solutions architect needs to implement a solution so that the application can handle the current connec...

To address the requirements in the scenario, let's break down each option and the reasons behind selecting or rejecting them. A) Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager. - Amazon RDS Proxy helps manage database connections efficiently by pooling and reusing connections. This reduces the load on the database and ensures that the application can scale better under high connection demand. Using RDS Proxy addresses the problem of "overloaded connections" by improving the application's ability to handle a high number of concurrent connections without overwhelming the Aurora MySQL DB instance. - AWS Secrets Manager is a robust solution for managing and rotating credentials securely. It can automatically rotate credentials, which is an essential requirement in this case to meet security and compliance needs. - Why it's selected: This option solves both issues—overloaded connections and insecure storage of credentials. The use of RDS Proxy addresses the load on the database, while storing credentials securely and automating their rotation through Secrets Manager ensures security. B) Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store. - AWS Systems Manager Parameter Store can store sensitive information securely, but it does not natively support automatic credential rotation as seamlessly as Secrets Manager does. While you can use Lambda functions to rotate credentials manually, it’s not as automated and integrated as with Secrets Manager. - Why rejected: While it addresses the connection overload issue, storing credentials in Sy...

Author: Akash · Last updated May 13, 2026

A company needs to build a disaster recovery (DR) solution for its ecommerce website. The web application is hosted on a fleet of t3.large Amazon EC2 instances and uses an Amazon RDS for MySQL DB instance. The EC2 instances are in an Auto Scaling group that extends across multiple Availability Zones. In the event of a disaster, the web application must fail...

To determine the most cost-effective and suitable disaster recovery (DR) solution, let’s analyze each option based on the requirements and the associated cost, RPO, and RTO. A) Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create a cross-Region read replica for the DB instance. Set up a backup plan in AWS Backup to create cross-Region backups for the EC2 instances and the DB instance. Create a cron expression to back up the EC2 instances and the DB instance every 30 seconds to the DR Region. Recover the EC2 instances from the latest EC2 backup. Use an Amazon Route 53 geolocation routing policy to automatically fail over to the DR Region in the event of a disaster. - Cost Considerations: This option involves setting up backups for EC2 instances and RDS, which can result in storage costs, but there are no continuous replication mechanisms like AWS Elastic Disaster Recovery or Aurora global databases, so it is relatively cost-effective. - RPO and RTO Considerations: The cron-based backup plan for EC2 and DB instances every 30 seconds is a potential challenge. AWS Backup does not natively support near-real-time replication or automatic failover in the event of a disaster. Restoring backups every 30 seconds might not meet the strict 30-second RPO, and restoring EC2 instances from backup would typically take more than 10 minutes, potentially breaching the 10-minute RTO. - Why rejected: The solution's approach of using periodic backups and manual recovery does not meet the RPO and RTO requirements effectively. B) Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create a cross-Region read replica for the DB instance. Set up AWS Elastic Disaster Recovery to continuously replicate the EC2 instances to the DR Region. Run the EC2 instances at the minimum capacity in the DR Region. Use an Amazon Route 53 failover routing policy to automatically fail over to the DR Region in the event of a disaster. - Cost Considerations: This option uses AWS Elastic Disaster Recovery (AWS DRS) for continuous replication, which might involve higher costs due to replication and storage in the DR region, as well as the cost of running EC2 instances at minimum capacity in the DR Region. - RPO and RTO Considerations: Elastic Disaster Recovery replicates EC2 instances with minimal lag and enables the instances to be up and running quickly in the DR Region. Running EC2 instances at minimum capacity in the DR Region ensures that the infrastructure is ready to scale immediately in case of failover, which meets the 10-minute RTO requirement. Using a read replica for the DB ensures that the data is continuously replicated and readily available, achieving the desired 30-second RPO. - Why it's selected: This option uses AWS DRS for efficient continuous replication and ensures ...

Author: Liam · Last updated May 13, 2026

A company is planning a one-time migration of an on-premises MySQL database to Amazon Aurora MySQL in the us-east-1 Region. The company's current internet connection has limited bandwidth. The on-premises MySQL database is 60 TB in size. The company estimates that it will take a month to transfer the data to AWS over the current internet connection. The...

Let's evaluate the options based on the requirement to migrate a 60 TB MySQL database quickly while considering the bandwidth constraints and the best use of AWS services for large data transfers. A) Request a 1 Gbps AWS Direct Connect connection between the on-premises data center and AWS. Use AWS Database Migration Service (AWS DMS) to migrate the on-premises MySQL database to Aurora MySQL. - Bandwidth Consideration: A 1 Gbps Direct Connect connection would provide 1 Gbps of transfer speed. The total data size is 60 TB. To transfer 60 TB at 1 Gbps would take a long time, around 4.5 days (60 TB / (1 Gbps 60 seconds per minute 60 minutes per hour 24 hours per day)). - AWS DMS Consideration: AWS DMS helps in migrating the database, but it is limited by the bandwidth of the connection, which in this case is 1 Gbps. Given the large size of the database, the time required for transfer remains significant, and using DMS for this migration may still not meet the required speed compared to physical data transfer solutions. - Why rejected: While AWS Direct Connect offers a stable connection, the transfer time of 4+ days is still far from ideal, and it may still take weeks depending on the sustained throughput. B) Use AWS DataSync with the current internet connection to accelerate the data transfer between the on-premises data center and AWS. Use AWS Application Migration Service to migrate the on-premises MySQL database to Aurora MySQL. - DataSync Consideration: AWS DataSync accelerates data transfer between on-premises and AWS, but it still relies on the current internet connection. If the internet connection is the bottleneck, DataSync would not significantly improve the transfer speed compared to the previous solution, since it can't overcome the bandwidth limitations. - AWS Application Migration Service Consideration: Application Migration Service is more suited for large-scale server migrations, but it is not specifically designed for databases. It is better for full server migrations, not for database-specific workloads like MySQL migration. - Why rejected: Using the current internet connection, even with DataSync, will still be limited by bandwidth constraints and will not provide the speed needed to migrate 60 TB in a reasonable time frame. C) Order an AWS Snowball Edge device. Load the data into an Amazon S3 bucket by using the S3 interface. Use AWS Database Migration Service (AWS DMS) to migrate the data from Amazo...

Author: Noah · Last updated May 13, 2026

A company has an application in the AWS Cloud. The application runs on a fleet of 20 Amazon EC2 instances. The EC2 instances are persistent and store data on multiple attached Amazon Elastic Block Store (Amazon EBS) volumes. The company must maintain backups in a separate AWS Region. The company must be able to recover the EC2 instances and their configuration within 1 business day, with loss of no more than 1 day's worth of data. The company has limited staff and needs a backup solution that optimize...

To determine the best solution for maintaining backups of EC2 instances and meeting the recovery objectives of 1 business day and no more than 1 day's worth of data loss, let's analyze each option based on operational efficiency, cost, and feasibility. A) Create a second CloudFormation template that can recreate the EC2 instances in the secondary Region. Run daily multivolume snapshots by using AWS Systems Manager Automation runbooks. Copy the snapshots to the secondary Region. In the event of a failure, launch the CloudFormation templates, restore the EBS volumes from snapshots, and transfer usage to the secondary Region. - Operational Efficiency: The use of AWS Systems Manager Automation runbooks and snapshots is operationally intensive, requiring manual steps to ensure snapshots are copied to the secondary Region. Managing the CloudFormation templates for both EC2 instance recreation and EBS volume restoration requires significant overhead and complexity, especially with large fleets of EC2 instances. - Cost: While snapshots are a cost-effective storage solution, the overhead of managing multiple CloudFormation templates and automation runbooks may result in higher operational costs and complexity, especially if frequent updates or changes are required. - Why rejected: This approach is relatively complex and requires more manual effort, which is not ideal for a company with limited staff. The solution also involves multiple moving parts (CloudFormation, Automation runbooks, snapshots) that could result in higher operational overhead. B) Use Amazon Data Lifecycle Manager (Amazon DLM) to create daily multivolume snapshots of the EBS volumes. In the event of a failure, launch the CloudFormation template and use Amazon DLM to restore the EBS volumes and transfer usage to the secondary Region. - Operational Efficiency: Amazon DLM simplifies snapshot management and automates the process of taking and retaining EBS snapshots. It can be configured to automatically copy the snapshots to the secondary Region. While DLM helps automate backup processes, manual intervention is still required to launch the CloudFormation template and restore volumes in the event of a failure. - Cost: Amazon DLM is a low-cost solution for managing EBS snapshots, and copying snapshots across regions is cost-effective for large datasets. - Why rejected: While DLM improves efficiency, manual intervention to launch CloudFormation templates and restore volumes in the secondary Region may still introduce complexity. It lacks the seamless integration with automated recovery that could further reduce operational overhead. C) Use AWS Backup to create a scheduled daily backup plan for the EC2 instances. Configure the backup task to copy the backups to a vault in the secondary Region....

Author: Emma · Last updated May 13, 2026

A company is designing a new website that hosts static content. The website will give users the ability to upload and download large files. According to company requirements, all data must be encrypted in transit and at rest. A solutions architect is building the solution by usi...

Goal: The company requires encryption in both transit and at rest for their website, which uses Amazon S3 and Amazon CloudFront for static content hosting. We need to ensure that the solution meets these encryption requirements while optimizing security and compliance. Let’s break down the requirements and evaluate each option. A) Turn on S3 server-side encryption for the S3 bucket that the web application uses. - Encryption at Rest: This option ensures that data stored in Amazon S3 is encrypted when it's at rest. Enabling S3 server-side encryption (SSE) provides this encryption and supports different methods (e.g., SSE-S3, SSE-KMS, or SSE-C). - Why selected: This option directly addresses the encryption-at-rest requirement, ensuring the files uploaded to the S3 bucket are encrypted when stored, which meets the company's encryption requirement. - Explanation: Using server-side encryption for S3 is essential for compliance with encryption-at-rest requirements, and this approach is highly scalable and easy to implement. B) Add a policy attribute of "aws:SecureTransport": "true" for read and write operations in the S3 ACLs. - Encryption in Transit: This policy ensures that data is transferred securely by requiring all requests to use HTTPS (secure transport). However, adding "aws:SecureTransport": "true" to the S3 ACLs (Access Control Lists) is not a typical way to enforce HTTPS. - Why rejected: It is not a recommended practice to use ACLs for enforcing secure transport. Instead, this is typically done through bucket policies, not ACLs. Therefore, this option does not fully satisfy the requirement of enforcing encryption in transit in a proper and scalable manner. C) Create a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses. - Encryption at Rest: This option ensures that any operation that does not meet encryption standards (like uploading unencrypted files) is denied by the bucket policy. This prevents any data from being uploaded to S3 without encryption. - Why selected: This is a strong security measure. It directly enforces the encryption-at-rest requirement, ensuring that only encrypted files are allowed to be uploaded to the S3 bucket. This helps prevent accidental or malicious uploads of unencrypted data. - Explanation: A bucket policy is the correct way to enforce encryption for operations in S3, especially for compliance and security purposes. It gives full control over what happens to data in the S3 bucket. D) Configure encryption at rest on CloudFront by using server-side encryption with AWS KMS keys (SSE-KMS)....

Author: Sofia2021 · Last updated May 13, 2026

A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only member...

To implement a secure solution for managing the production database credentials and meeting the company's requirements, let's analyze each option in detail based on the requirements provided: Option A: Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key. - Pros: - Encryption with KMS key: This option uses KMS to encrypt the database credentials, ensuring secure storage. - Granular access control: The KMS key can be restricted to specific users or groups (in this case, only the IT security team). - Access via Lambda role: The Lambda function can access the credentials securely through IAM role-based access, adhering to the principle of least privilege. - Cons: - Complexity: Using Systems Manager Parameter Store adds complexity when compared to Secrets Manager. It requires additional configuration to securely store and retrieve credentials from the parameter store. - Rotation and auditing: While parameter store supports automatic rotation of some parameters, managing credential rotation manually might be cumbersome compared to Secrets Manager, which is more tailored for secrets management. - Best suited for: If the organization is comfortable with managing secrets through Parameter Store and requires a low-cost solution with tight access control. Option B: Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key. Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key. - Pros: - Simple implementation: Storing credentials in Lambda environment variables is easy to implement and requires minimal setup. - Encryption using KMS: The credentials would be encrypted with KMS, ensuring they are protected. - Cons: - No automatic rotation: Environment variables don't support automatic rotation or auditing features, unlike AWS Secrets Manager. - Not ideal for sensitive information: Storing credentials in environment variables is generally considered less secure because it makes it harder to manage and audit access. It is not a best practice for sensitive data like database credentials. - Limited security controls: Environment variables can be exposed in some logs or error messages, increasing the risk of exposure. - Best suited for: Quick or temporary solutions, but it is not recommended for production-grade environmen...

Author: NebulaEagle11 · Last updated May 13, 2026

An online retail company is migrating its legacy on-premises .NET application to AWS. The application runs on load-balanced frontend web servers, load-balanced application servers, and a Microsoft SQL Server database. The company wants to use AWS managed services where possible and does not want to rewrite the application. A solutions architect needs to implement a ...

To meet the requirements of migrating a legacy .NET application to AWS with a focus on scaling, minimizing licensing costs, and leveraging AWS managed services while not requiring a complete rewrite of the application, let's evaluate the options in detail: Option A: Deploy Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer for the web tier and for the application tier. Use Amazon Aurora PostgreSQL with Babelfish turned on to replatform the SQL Server database. - Pros: - Auto Scaling: Using EC2 instances in an Auto Scaling group allows the application to scale dynamically based on demand, addressing scaling issues. - Amazon Aurora with Babelfish: Babelfish enables compatibility with SQL Server, which allows for minimal changes to the application code and schema while migrating to Aurora PostgreSQL. Aurora is a fully managed database, which minimizes operational overhead compared to managing an on-premises SQL Server database. - Cost Efficiency: Aurora offers performance and scalability benefits over traditional SQL Server on EC2 instances, and it can reduce licensing costs by using PostgreSQL with Babelfish instead of SQL Server. - Cons: - Potential complexity in replatforming: While Babelfish helps with compatibility, there might still be some challenges in ensuring full compatibility with the legacy SQL Server features. - Best suited for: Companies looking to migrate and scale their .NET application without completely rewriting it, while reducing licensing costs by switching from SQL Server to PostgreSQL with Babelfish. Option B: Create images of all the servers by using AWS Database Migration Service (AWS DMS). Deploy Amazon EC2 instances that are based on the on-premises imports. Deploy the instances in an Auto Scaling group behind a Network Load Balancer for the web tier and for the application tier. Use Amazon DynamoDB as the database tier. - Pros: - AWS DMS: AWS Database Migration Service helps migrate the database but is typically used for straightforward migrations of database data rather than replatforming or replacing the database with a non-SQL solution. - DynamoDB: A NoSQL database that is highly scalable and fully managed, making it great for certain types of applications. - Cons: - Database mismatch: Migrating from a relational SQL Server database to a NoSQL database like DynamoDB would likely require significant changes to the application code, as SQL Server is relational, while DynamoDB is key-value based. This would go against the requirement of not rewriting the application. - Complexity: The approach introduces unnecessary complexity, including modifying the database layer extensively and using a Network Load Balancer, which isn't typically used for web applications in the same way an Application Load Balancer would be. - Best suited for: Use cases where the application is designed to work with NoSQL and can be fully refactored to take advantage of DynamoDB's features. Option C: Containerize the web frontend tier and the application tier. Provision an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Create an Auto Scaling group behind a Network Load Balancer for the web tier and for the application tier. Use Amazon RDS for SQL Server to hos...

Author: Elizabeth · Last updated May 13, 2026

A software-as-a-service (SaaS) provider exposes APIs through an Application Load Balancer (ALB). The ALB connects to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is deployed in the us-east-1 Region. The exposed APIs contain usage of a few non-standard REST methods: LINK, UNLINK, LOCK, and UNLOCK. Users outside the United States are reporting long and inconsistent response ...

Problem Analysis: - Users outside the United States are experiencing long and inconsistent response times. - The Application Load Balancer (ALB) connects to an Amazon EKS cluster in us-east-1. - The APIs contain non-standard REST methods (LINK, UNLINK, LOCK, UNLOCK), which could be causing some issues with standard HTTP request handling, particularly with caching or latency-related problems in regions far from us-east-1. Goal: The solution should reduce latency and minimize operational overhead. Option Evaluation: --- A) Add an Amazon CloudFront distribution. Configure the ALB as the origin. - Analysis: - Amazon CloudFront is a Content Delivery Network (CDN) that can help reduce latency by caching content at edge locations around the world, ensuring faster access for users regardless of their location. - CloudFront can cache responses from the ALB and reduce the load on the backend infrastructure. - However, CloudFront works by caching standard HTTP responses, and caching non-standard REST methods (LINK, UNLINK, LOCK, UNLOCK) may be problematic. CloudFront may not cache these non-standard methods effectively, potentially leading to performance degradation. - Conclusion: While CloudFront could improve response times for cacheable data, it might not be optimal for handling non-standard HTTP methods because caching may not work effectively for all REST methods. --- B) Add an Amazon API Gateway edge-optimized API endpoint to expose the APIs. Configure the ALB as the target. - Analysis: - Amazon API Gateway (edge-optimized) is designed to provide low-latency access to APIs by caching and distributing the API endpoints across AWS edge locations globally. - API Gateway supports custom REST methods, so the non-standard methods (LINK, UNLINK, LOCK, UNLOCK) can be handled correctly. - API Gateway can route requests to the ALB, but introducing it would add a layer of complexity and potentially increase operational overhead. - Conclusion: This approach would resolve the issue with global access and custom methods, but it adds complexity with an extra layer (API Gateway), which may increase operational overhead compared to other solutions. ...

Author: Aria · Last updated May 13, 2026

A company runs an IoT application in the AWS Cloud. The company has millions of sensors that collect data from houses in the United States. The sensors use the MQTT protocol to connect and send data to a custom MQTT broker. The MQTT broker stores the data on a single Amazon EC2 instance. The sensors connect to the broker through the domain named iot.example.com. The company uses Amazon Route 53 as its DNS service. The company stores the data in Amazon DynamoDB. On severa...

The problem presented involves an IoT application where millions of sensors are sending data to an MQTT broker hosted on a single EC2 instance. The application is experiencing reliability issues due to the MQTT broker being overloaded, which results in lost sensor data. The goal is to improve the reliability of the solution. Let's evaluate the proposed solutions: Option A: Create an Application Load Balancer (ALB) and an Auto Scaling group for the MQTT broker. Use the Auto Scaling group as the target for the ALB. Update the DNS record in Route 53 to an alias record. Point the alias record to the ALB. Use the MQTT broker to store the data. - Pros: - Auto Scaling: The Auto Scaling group ensures that additional EC2 instances are spun up as needed to handle high traffic, potentially addressing the scalability issue. - ALB: The ALB can distribute incoming connections to multiple EC2 instances in the Auto Scaling group, improving the availability and reliability of the MQTT broker. - Cons: - Not designed for MQTT: The ALB is not ideal for handling the MQTT protocol, as it is designed for HTTP/HTTPS traffic. MQTT uses long-lived TCP connections and requires persistent sessions, which ALB does not support natively. - Overcomplicating the setup: The solution adds complexity by using an ALB and EC2 instances, but it still doesn't fully address the inherent issues with using a custom MQTT broker in the cloud. - Best suited for: Applications that use HTTP-based protocols but not ideal for IoT protocols like MQTT. Option B: Set up AWS IoT Core to receive the sensor data. Create and configure a custom domain to connect to AWS IoT Core. Update the DNS record in Route 53 to point to the AWS IoT Core Data-ATS endpoint. Configure an AWS IoT rule to store the data. - Pros: - Fully managed IoT service: AWS IoT Core is a fully managed service designed specifically for handling IoT device connections, including support for MQTT. This would significantly improve the scalability, reliability, and availability of the system. - Built-in reliability: AWS IoT Core is highly reliable, scales automatically, and supports MQTT natively. It also provides built-in features like message buffering, message persistence, and automatic retries, which are essential for IoT applications. - Simple integration with DynamoDB: AWS IoT rules can be configured to automatically store data in DynamoDB, eliminating the need for custom broker and storage logic. - Cons: - Custom domain setup: Configuring a custom domain might take some initial setup time, but it’s a manageable task. - Best suited for: IoT applications that need scalability, reliability, and efficient handling of MQTT messages. AWS IoT Core is specifically designed to solve the issues mentioned in the question. Option C: Create a Network Load Balancer (NLB). Set the MQTT broker as the target. Create an AWS Global Accelerator accelerator. Set the NLB as the end...

Author: StarlightBear · Last updated May 13, 2026

A company has Linux-based Amazon EC2 instances. Users must access the instances by using SSH with EC2 SSH key pairs. Each machine requires a unique EC2 key pair. The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the keys in a securely en...

Let's go through each option in detail to evaluate which one meets the requirements for key rotation, securely storing keys, and minimizing downtime during the rotation process. Requirements: 1. Automatic EC2 Key Pair Rotation: The EC2 key pairs must be rotated automatically upon request. 2. Secure Key Storage: Keys must be stored securely and encrypted. 3. Downtime of less than 1 minute: The solution must ensure minimal downtime (less than 1 minute) during the key rotation. Option Evaluation: --- A) Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager. - Analysis: - AWS Secrets Manager is a service designed to securely store and manage secrets, such as API keys, passwords, and in this case, private EC2 key pairs. - Secrets Manager's built-in rotation functionality can be used to automatically rotate secrets, including EC2 key pairs, by invoking a Lambda function to generate new key pairs. The public keys would be replaced on the EC2 instances, and the private keys would be updated in Secrets Manager. - This solution can be automated to meet the key rotation requirements. - Minimal Downtime: The rotation process can be executed via a Lambda function, and the downtime can be minimized by carefully managing the instance's SSH sessions during key updates. - Conclusion: This is a highly secure, automated solution that integrates with EC2 and supports key rotation with minimal downtime. --- B) Store all the keys in Parameter Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Parameter Store. - Analysis: - AWS Systems Manager Parameter Store can securely store secrets, but it does not natively support automatic key rotation. - A maintenance window could be used to trigger a Lambda function to generate new EC2 key pairs, but Parameter Store lacks the native integration and automated key rotation features provided by Secrets Manager. - This approach would require manual management and more complex handling of key rotation. - Downtime Management: While downtime could be minimized with a maintenance window, the lack of native rotation support would require more manual intervention and could lead to higher risks of error. - Conclusion: This option is viable but less...

Author: Suresh · Last updated May 13, 2026

A company wants to migrate to AWS. The company is running thousands of VMs in a VMware ESXi environment. The company has no configuration management database and has little knowledge about the utilization of the VMware portfolio. A solutions architect must provide the company with an accurate inventory so that ...

Let's break down each option and analyze which one best suits the company's needs with the least operational overhead: Option A: Use AWS Systems Manager Patch Manager to deploy Migration Evaluator to each VM. Review the collected data in Amazon QuickSight. Identify servers that have high utilization. Remove the servers that have high utilization from the migration list. Import the data to AWS Migration Hub. - Analysis: - AWS Systems Manager Patch Manager is used for patch management, not specifically for VM migration or inventory management. - Migration Evaluator helps in assessing migration needs, but deploying it via Patch Manager may involve unnecessary complexity, especially since Patch Manager is not optimized for this task. - Reviewing data in QuickSight is useful for visualization but doesn’t align with automated inventory collection or migration planning. - High-utilization servers may require more effort to migrate, but identifying this manually adds operational overhead. - Why it's rejected: Using Patch Manager is an indirect approach for migration inventory and adds unnecessary operational overhead. Migration Evaluator does not need to be deployed via Patch Manager, and manual analysis in QuickSight further increases complexity. Option B: Export the VMware portfolio to a .csv file. Check the disk utilization for each server. Remove servers that have high utilization. Export the data to AWS Application Migration Service. Use AWS Server Migration Service (AWS SMS) to migrate the remaining servers. - Analysis: - Exporting data from VMware manually (to .csv) and then reviewing disk utilization requires significant manual effort and expertise. - Identifying high-utilization servers manually adds complexity. - While AWS SMS is effective for migrating VMs, this option doesn't streamline the initial inventory process. - Why it's rejected: The manual process of exporting, checking utilization, and handling the data in .csv format adds a lot of operational overhead. The solution is not automated and would require substantial effort to manage accurately. Option C: Deploy the Migration Evaluator agentless...

Author: ElectricLionX · Last updated May 13, 2026

A company runs a microservice as an AWS Lambda function. The microservice writes data to an on-premises SQL database that supports a limited number of concurrent connections. When the number of Lambda function invocations is too high, the database crashes and causes application downtime. The company has an AWS Direct Connect connection between the ...

Problem Analysis: - Microservice with Lambda: The company is using AWS Lambda to run a microservice that writes to an on-premises SQL database. - Database constraints: The on-premises SQL database has a limited number of concurrent connections, and when Lambda invocations exceed that limit, the database crashes. - Direct Connect: The company has AWS Direct Connect, which provides a high-bandwidth, low-latency connection between the VPC and the on-premises data center. The goal is to prevent database crashes caused by too many concurrent connections by controlling Lambda's concurrency and introducing a mechanism to handle database connections more efficiently. Option Evaluation: --- A) Write the data to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function to read from the queue and write to the existing database. Set a reserved concurrency limit on the Lambda function that is less than the number of connections that the database supports. - Analysis: - SQS serves as a buffer, ensuring that the Lambda function only processes requests at a manageable rate. - Setting a reserved concurrency limit on the Lambda function ensures that the number of concurrent Lambda invocations doesn't exceed the database's connection limit. - This solution is simple, utilizes native AWS services (SQS), and gives control over the Lambda concurrency. - The SQS queue ensures that requests are not lost and that they are processed sequentially, avoiding overwhelming the database. - Conclusion: This is an efficient and low-cost solution that meets the requirements. It controls Lambda's concurrency, prevents database overload, and ensures smooth operations. --- B) Create a new Amazon Aurora Serverless DB cluster. Use AWS DataSync to migrate the data from the existing database to Aurora Serverless. Reconfigure the Lambda function to write to Aurora. - Analysis: - Amazon Aurora Serverless automatically scales up and down based on demand, which could prevent database crashes due to overload. However, this solution involves migrating the data from the on-premises database to a cloud database, which could be time-consuming and introduce significant changes to the architecture. - The existing application would need to be reconfigured to use Aurora, and the migration of data could be complex, depending on the size of the database and the schema. - Conclusion: While Aurora Serverless could solve the scalability issue, it is not ...

Author: SilverBear · Last updated May 13, 2026

A company uses a Grafana data visualization solution that runs on a single Amazon EC2 instance to monitor the health of the company's AWS workloads. The company has invested time and effort to create dashboards that the company wants to preserve. The dashboards need to be highly available and cannot be down for longer than 10 m...

Let’s analyze each option to find the one that best meets the company’s requirements for high availability, preservation of dashboards, and minimizing ongoing maintenance. Option A: Migrate to Amazon CloudWatch dashboards. Recreate the dashboards to match the existing Grafana dashboards. Use automatic dashboards where possible. - Analysis: - CloudWatch dashboards are a native AWS solution for visualizing metrics, but they are different from Grafana in terms of functionality and flexibility. - Recreating the dashboards would require significant effort and time, which contradicts the goal of minimizing operational overhead. - While CloudWatch dashboards are highly available and fully managed, migrating to them would mean abandoning Grafana's flexibility and customizability, which could lead to a loss of key features that the company may rely on in Grafana. - The company would still need to manually recreate and configure the dashboards. - Why it's rejected: This option involves manual migration, significant effort to recreate dashboards, and the potential loss of Grafana’s advanced features. It does not minimize operational overhead, especially for the company’s existing investment in Grafana. Option B: Create an Amazon Managed Grafana workspace. Configure a new Amazon CloudWatch data source. Export dashboards from the existing Grafana instance. Import the dashboards into the new workspace. - Analysis: - Amazon Managed Grafana provides a fully managed Grafana service with built-in support for CloudWatch and other data sources, which reduces maintenance overhead. - Migrating dashboards from the existing EC2-hosted Grafana instance to Amazon Managed Grafana is relatively straightforward and preserves the company’s investment in Grafana. - Managed Grafana is highly available and integrates with multiple AWS services (e.g., CloudWatch, Amazon RDS, etc.), providing a scalable, resilient solution. - The migration process can be automated to some extent, reducing operational overhead in the long term. - Why it's selected: This option preserves the company's existing Grafana dashboards, minimizes operational overhead, and ensures high availability by using a fully managed service. It’s also highly scalable and integrates seamlessly with AWS services. Option C: Create an AMI that has Grafana pre-installed. Store the existing dashboards in Amazon Elastic File System (Amazon EFS). Create...

Author: Amelia · Last updated May 13, 2026

A company needs to migrate its customer transactions database from on premises to AWS. The database resides on an Oracle DB instance that runs on a Linux server. According to a new security requirement, the company must rotate the database ...

Let’s analyze each option and determine which solution best meets the company's needs for migrating the database, ensuring security, and minimizing operational overhead. Option A: Convert the database to Amazon DynamoDB by using the AWS Schema Conversion Tool (AWS SCT). Store the password in AWS Systems Manager Parameter Store. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function for yearly password rotation. - Analysis: - DynamoDB is a NoSQL database, whereas the company’s existing database is an Oracle database, which requires relational database features that DynamoDB doesn't support. Migrating from a relational database like Oracle to a NoSQL solution like DynamoDB would require substantial changes to the application and database schema. - AWS Systems Manager Parameter Store can store the password, but creating a CloudWatch alarm to invoke Lambda for password rotation adds complexity and operational overhead. - The migration to DynamoDB is not ideal in this case because it would require significant application changes and isn’t suitable for the company’s current relational Oracle database. - Why it's rejected: The migration to DynamoDB is unsuitable for the company’s use case, as it involves a non-relational database that doesn't match the current system’s requirements. Option B: Migrate the database to Amazon RDS for Oracle. Store the password in AWS Secrets Manager. Turn on automatic rotation. Configure a yearly rotation schedule. - Analysis: - Amazon RDS for Oracle is a managed relational database service that fully supports Oracle databases. It provides a simple, scalable solution for running Oracle workloads on AWS, which minimizes management overhead. - AWS Secrets Manager supports automatic password rotation, which means the database password can be automatically rotated on a configurable schedule (in this case, yearly) with minimal operational overhead. - This approach leverages AWS managed services that automate password management and reduce the complexity of manual interventions, providing a highly scalable and low-maintenance solution. - Why it's selected: This solution provides the least operational overhead by using a fully managed RDS service for Oracle and automating password rotation with Secrets Manager. It meets the security requirement for rotating th...

Author: James · Last updated May 13, 2026

A solutions architect is designing an AWS account structure for a company that consists of multiple teams. All the teams will work in the same AWS Region. The company needs a VPC that is connected to the on-premises network. The company expects less than 50 Mbps of total traffic to and f...

Let's break down each of the options and evaluate them based on the requirements of the company: Requirements: 1. Multiple teams working in the same AWS Region. 2. A VPC that is connected to the on-premises network. 3. Less than 50 Mbps of total traffic to and from the on-premises network (which indicates relatively low bandwidth requirements). 4. Cost-effectiveness is a priority. Option Evaluation: --- A) Create an AWS CloudFormation template that provisions a VPC and the required subnets. Deploy the template to each AWS account. - Analysis: - AWS CloudFormation can automate the creation of infrastructure, including VPCs and subnets, which helps in standardizing and scaling the environment for multiple accounts. - Deploying the template to each AWS account could work well if the company uses separate accounts for different teams and needs each team to have its own VPC. - However, the cost-effective solution may be to centralize some services rather than deploying VPCs across each team’s account. In this case, this approach might not be the most cost-efficient because of duplicated resources and complexity in managing multiple VPCs. - Conclusion: This option is useful in some scenarios but could be more costly and less efficient in terms of management and centralization. --- B) Create an AWS CloudFormation template that provisions a VPC and the required subnets. Deploy the template to a shared services account. Share the subnets by using AWS Resource Access Manager. - Analysis: - This approach involves creating the VPC in a shared services account and then using AWS Resource Access Manager (RAM) to share the subnets with other accounts. - This approach is cost-effective because it allows the company to maintain a centralized VPC while enabling other teams to use the same VPC and subnets without duplicating resources. - By sharing the subnets, the company can centralize the connectivity to the on-premises network, which could be more manageable and scalable. This also ensures better security and resource control. - Conclusion: This is a highly cost-effective approach, as it centralizes infrastructure while allowing access for multiple teams. --- C) Use AWS Transit Gateway along with an AWS Site-to-Site VPN for connectivity to the on-premises network. Share the transit gateway by using AWS Resource Access Manager. - Analysis: - AWS Transit Gateway is typically used in scenarios where multiple VPCs need to communicate with each other o...

Author: Noah · Last updated May 13, 2026

A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet. The company deploys resources only into a single AWS Region. The company needs the ability to add centrally managed rule...

To meet the requirement of centrally managing rule-based filtering for outbound traffic from all AWS accounts in the organization, let's evaluate each option: A) Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy's Auto Scaling group. - Pros: This solution involves creating a new VPC for outbound traffic and using EC2 instances running an open-source proxy for rule-based filtering. This could offer flexibility in filtering outbound traffic. - Cons: Managing EC2 instances as proxies requires a significant operational overhead, such as scaling, patching, and maintaining the open-source software. This solution could lead to complexities in scaling to handle the traffic load, especially considering the peak load of 25 Gbps in each Availability Zone. - Scalability Issues: EC2 instances are not an ideal choice for handling large amounts of outbound traffic (especially 25 Gbps per AZ) because EC2 instances might not be optimized for that level of traffic. Additionally, managing EC2 instances for high throughput can be cumbersome. - Maintenance Overhead: Using an open-source proxy solution would require constant updates and monitoring for security vulnerabilities, making this a less reliable long-term solution. B) Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints. - Pros: AWS Network Firewall is a fully managed service that provides centralized rule-based filtering for outbound traffic. It is scalable and can handle high traffic loads. It integrates well with the AWS environment and supports automatic scaling. - Scalability: AWS Network Firewall endpoints are designed to scale efficiently across Availability Zones, and with traffic peaks of 25 Gbps per AZ, it would handle the load effectively. - C...

Author: Nia · Last updated May 13, 2026

A company uses a load balancer to distribute traffic to Amazon EC2 instances in a single Availability Zone. The company is concerned about security and wants a solutions architect to re-architect the solution to meet the following requirements: * Inbound requests must be filtered for common vulnerability attacks. * Rejected reque...

Let's break down the requirements and evaluate the solutions: Requirements: 1. Inbound requests must be filtered for common vulnerability attacks: This implies that AWS WAF (Web Application Firewall) is needed to filter and block common attacks like SQL injection, cross-site scripting (XSS), etc. 2. Rejected requests must be sent to a third-party auditing application: Rejected requests should be logged and forwarded to a third-party system for auditing. 3. All resources should be highly available: This suggests the need for multi-AZ deployment to ensure high availability and avoid single points of failure. Option Evaluation: --- A) Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Use Amazon Inspector to monitor traffic to the ALB and EC2 instances. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB. Use an AWS Lambda function to frequently push the Amazon Inspector report to the third-party auditing application. - Analysis: - Multi-AZ Auto Scaling is a good choice for high availability. - Amazon Inspector is useful for finding vulnerabilities in EC2 instances, but it's not specifically designed for filtering inbound web traffic or rejecting malicious requests. It’s more suited for assessing EC2 instance security. - AWS WAF with web ACL is correctly used to filter malicious inbound requests. - However, the use of Amazon Inspector for auditing is not optimal. WAF logs (or CloudWatch Logs) would be more efficient for capturing rejected requests, rather than relying on Amazon Inspector, which is not intended for this purpose. - Conclusion: This option does not provide the most direct and efficient solution for forwarding rejected requests to the third-party auditing application. --- B) Configure an Application Load Balancer (ALB) and add the EC2 instances as targets. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB name and enable logging with Amazon CloudWatch Logs. Use an AWS Lambda function to frequently push the logs to the third-party auditing application. - Analysis: - ALB and WAF are used correctly for filtering and securing inbound traffic. - Enabling CloudWatch Logs for AWS WAF is a solid choice because these logs will capture information about rejected requests, which can then be forwarded to the third-party auditing application. - Using an AWS Lambda function to push logs to the third-party auditing application is a practical solution to meet the auditing requirement. - This solution meets all the requirements, ensuring both security filtering and logging, while maintaining simplicity and efficiency. - Conclusion: This is a strong and cost-effective solution that meets all the requirements. --- C) Config...

Author: CrimsonViperX · Last updated May 13, 2026

A company is running an application in the AWS Cloud. The application consists of microservices that run on a fleet of Amazon EC2 instances in multiple Availability Zones behind an Application Load Balancer. The company recently added a new REST API that was implemented in Amazon API Gateway. Some of the older microservices that run on EC2 instances need to call this new API. The company does not want the API...

The company needs a solution that allows its EC2-based microservices to securely access the new REST API in Amazon API Gateway without exposing the API to the public internet. Let's evaluate each of the options: A) Create an AWS Site-to-Site VPN connection between the VPC and the API Gateway. Use API Gateway to generate a unique API Key for each microservice. Configure the API methods to require the key. - Pros: - Using a VPN connection would securely connect the VPC to the API Gateway, ensuring that traffic between the EC2 instances and the API does not traverse the public internet. - Cons: - This option involves additional overhead in setting up and maintaining the Site-to-Site VPN connection. - While the API key can help authenticate microservices, using VPN connections with API Gateway isn't the most efficient or AWS-recommended approach. VPN connections are more suited for extending on-premises networks into AWS, not necessarily for communication between VPCs and API Gateway. - This solution would be more complex and require manual management of VPN configurations. B) Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private. - Pros: - Private API Gateway: This solution uses a private API Gateway endpoint that is not exposed to the public internet. The VPC endpoint ensures that traffic between the EC2 instances in the VPC and API Gateway is routed privately within the AWS network. - Security: The solution uses both an endpoint policy and a resource policy to limit access to only the specific API, ensuring that no other services can access it. - Best Practice: This is the recommended approach for keeping the API secure and private while allowing internal access. It avoids the use of public IP addresses for communication and makes use of AWS's native VPC features for secure communication. - ...

Author: Leah Davis · Last updated May 13, 2026

A company has set up its entire infrastructure on AWS. The company uses Amazon EC2 instances to host its ecommerce website and uses Amazon S3 to store static data. Three engineers at the company handle the cloud administration and development through one AWS account. Occasionally, an engineer alters an EC2 security group configuration of another engineer and causes noncompliance issues in the environment. A solutions architect must set up a system that tracks changes that the engineer...

To meet the requirements of tracking and alerting on noncompliant changes to EC2 security groups, let's evaluate the options based on their ability to monitor changes and provide quick alerts, while ensuring compliance. Option A: Set up AWS Organizations for the company. Apply SCPs to govern and track noncompliant security group changes that are made to the AWS account. - Pros: - Service Control Policies (SCPs) in AWS Organizations can be used to define restrictions on actions across AWS accounts. - SCPs could prevent certain changes to security group configurations if defined correctly. - Cons: - SCPs are primarily used to limit the ability to make specific changes, not for tracking or alerting on changes. They prevent actions, but they don’t provide the kind of detailed logging and alerting functionality that the scenario requires. - SCPs cannot track or log changes made to security groups. They only restrict actions. Option B: Enable AWS CloudTrail to capture the changes to EC2 security groups. Enable Amazon CloudWatch rules to provide alerts when noncompliant security settings are detected. - Pros: - AWS CloudTrail logs API calls and captures changes made to resources, such as EC2 security group configurations. This allows you to track who made changes, what was changed, and when the change occurred. - You can set up Amazon CloudWatch rules to trigger alerts based on specific events captured by CloudTrail. This is a fast and effective way to detect noncompliant changes and notify engineers or administrators. - Cons: - While effective in tracking changes and sending alerts, this solution doesn’t explicitly address compliance checks; you'd need to build custom logic to identify "noncompliant" changes (e.g., comparing security group settings to a baseline). Option C: Enable SCPs on the AWS account to provide a...

Author: Emma · Last updated May 13, 2026

A company has IoT sensors that monitor traffic patterns throughout a large city. The company wants to read and collect data from the sensors and perform aggregations on the data. A solutions architect designs a solution in which the IoT devices are streaming to Amazon Kinesis Data Streams. Several applications are reading from the stream. However, several consumers are experiencing throttli...

The problem in the scenario involves throttling and the `ReadProvisionedThroughputExceeded` error in Amazon Kinesis Data Streams. This error typically occurs when the consumer applications exceed the allowed read throughput limits for the stream. To resolve this, several actions can be taken to optimize the performance and reduce throttling. Option A: Reshard the stream to increase the number of shards in the stream. - Pros: - Increasing the number of shards will provide more read throughput capacity and allow for higher parallelism in processing the stream, which directly addresses throttling issues caused by high traffic or a high volume of consumers. - Resharding increases both the read and write capacity for the stream by increasing the number of shards. - Cons: - While this option addresses throughput limits, resharding can increase cost, as each additional shard incurs a charge. It also introduces operational complexity as the number of shards increases, so it should be done carefully after monitoring the current throughput usage. Option B: Use the Kinesis Producer Library (KPL). Adjust the polling frequency. - Pros: - The Kinesis Producer Library (KPL) helps optimize the production of data by batch writing records to Kinesis, which can improve the overall write efficiency. However, this doesn’t directly solve read throughput issues caused by consumers throttling. - Cons: - Adjusting the polling frequency and using the KPL optimizes data production but does not directly address the read throttling issue that consumers are encountering. Therefore, it is not the most effective solution for the problem described. Option C: Use consumers with the enhanced fan-out feature. - Pros: - The enhanced fan-out feature allows each consumer to receive its own read throughput capacity (up to 2 MB per second per consumer), independent of other consumers. This prevents throttling when multiple consumers are reading from the stream simultaneously. - It is an ideal solution for high-throughput scenarios with many consumers, as it eliminates the contention for shared read throughput. - Cons: - Enhanced fan-out incurs additional costs for each consumer that uses it. It’s necessary to evaluate whether th...

Author: FrozenWolf2022 · Last updated May 13, 2026

A company uses AWS Organizations to manage its AWS accounts. The company needs a list of all its Amazon EC2 instances that have underutilized CPU or memory usage. The company also needs recommendations for how to downsize the...

Let's analyze each option in the context of meeting the company's requirements—listing all underutilized EC2 instances and providing recommendations for downsizing with minimal effort: A) Install a CPU and memory monitoring tool from AWS Marketplace on all the EC2 instances. Store the findings in Amazon S3. Implement a Python script to identify underutilized instances. Reference EC2 instance pricing information for recommendations about downsizing options. - Pros: - This solution provides flexibility in monitoring, as the company can select a custom tool from AWS Marketplace. - Storing findings in S3 gives easy access to data. - The Python script can be customized to meet specific business needs. - Cons: - It requires significant manual setup: you need to install the tool, write and maintain the Python script, and manage the data. - It's labor-intensive and might take more time to implement than using AWS managed services like CloudWatch. - EC2 pricing reference for recommendations would need to be manually handled, requiring updates and maintenance. Reason for rejection: Although flexible, this option involves too much manual setup and maintenance, leading to higher operational overhead compared to automated solutions. B) Install the Amazon CloudWatch agent on all the EC2 instances by using AWS Systems Manager. Retrieve the resource optimization recommendations from AWS Cost Explorer in the organizations management account. Use the recommendations to downsize underutilized instances in all accounts of the organization. - Pros: - The CloudWatch agent can automatically collect CPU and memory metrics, which is simple to set up using Systems Manager. - AWS Cost Explorer provides easy-to-use recommendations for optimization, which can help in identifying underutilized instances and potential cost savings. - The solution supports centralized management through the organization's management account, allowing for easier coordination across accounts. - Cons: - CloudWatch doesn't provide specific memory usage metrics by default for EC2 instances, and you need to install the CloudWatch agent manually for full metrics, which could require extra configuration. Reason for rejection: While this is a good solution, it might not fully address memory usage unless the CloudWatch agent is explicitly set up for memory, which may involve some additional configuration. C) Install the Amazon CloudWatch agent on all the EC2 instances by using AWS System...

Author: David · Last updated May 13, 2026

A company wants to run a custom network analysis software package to inspect traffic as traffic leaves and enters a VPC. The company has deployed the solution by using AWS CloudFormation on three Amazon EC2 instances in an Auto Scaling group. All network routing has been established to direct traffic to the EC2 instances. Whenever the analysis software stops working, the Auto Scaling gr...

To resolve the issue of the network routes not being updated when an instance is replaced by the Auto Scaling group, we need to address both the replacement process and the update of the routing configuration. Let’s evaluate each option and determine which steps should be taken: Option A: Create alarms based on EC2 status check metrics that will cause the Auto Scaling group to replace the failed instance. - Evaluation: This step ensures that the Auto Scaling group will replace an EC2 instance if it fails, but it doesn't address the issue of updating the network routes when an instance is replaced. It helps ensure that a failed instance is replaced, but additional steps are needed to manage the routing configuration. - Reason for Rejection: While useful for monitoring EC2 instance health, this step alone does not address the routing issue. Option B: Update the CloudFormation template to install the Amazon CloudWatch agent on the EC2 instances. Configure the CloudWatch agent to send process metrics for the application. - Evaluation: Installing the CloudWatch agent to monitor application-level metrics is useful for tracking the health of the software running on the EC2 instances, but it doesn’t directly impact network routing or automatically trigger routing updates when an instance is replaced. - Reason for Rejection: This step is useful for monitoring but doesn’t directly solve the routing issue after an instance replacement. Option C: Update the CloudFormation template to install AWS Systems Manager Agent on the EC2 instances. Configure Systems Manager Agent to send process metrics for the application. - Evaluation: AWS Systems Manager is a powerful tool for managing EC2 instances and running commands remotely. However, just sending process metrics with Systems Manager doesn’t solve the problem of network routes not being updated when an instance is replaced. - Reason for Rejection: Although AWS Systems Manager is useful for managing instances and performing actions like updating configurations, it doesn’t solve the issue of routing. Option D: Create an alarm for the custom metric in Amazon CloudWatch for the failure scenarios. Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. - Evaluation: This step can help detect failure scenarios and alert administrato...

Author: Sofia · Last updated May 13, 2026

A company is developing a new on-demand video application that is based on microservices. The application will have 5 million users at launch and will have 30 million users after 6 months. The company has deployed the application on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate. The company developed the application by using ECS services that use the HTTPS protocol. A solutions architect needs to implement updates to the application by using blue/green deployments. The solution must...

Let's evaluate each option based on the requirements: Requirements Breakdown: 1. Blue/Green Deployment: The solution must support blue/green deployment for easy application updates and rollback. 2. HTTPS Traffic: The application uses the HTTPS protocol, so the solution must be capable of handling secure traffic. 3. Load Balancer: The traffic to each ECS service must be distributed through a load balancer. 4. Automatic Scaling: The number of tasks (containers) must automatically adjust in response to a CloudWatch alarm, indicating that Auto Scaling is required. Option A: Configure the ECS services to use the blue/green deployment type and a Network Load Balancer. Request increases to the service quota for tasks per service to meet the demand. - Evaluation: - The Network Load Balancer (NLB) operates at the network layer (Layer 4) and is primarily used for TCP/UDP traffic. While it can handle high throughput, it doesn’t support SSL/TLS termination for HTTPS traffic, which the application requires. - Requesting increases to the service quota for tasks per service is a reactive measure and doesn’t directly address the scaling needs with CloudWatch alarms or automatic adjustments. - Reason for Rejection: The Network Load Balancer doesn’t support HTTPS termination, making it unsuitable for this application, which uses HTTPS. Option B: Configure the ECS services to use the blue/green deployment type and a Network Load Balancer. Implement Auto Scaling group for each ECS service by using the Cluster Autoscaler. - Evaluation: - Again, the Network Load Balancer is not suitable for handling HTTPS traffic because it works at the transport layer and doesn’t manage SSL/TLS termination. - The Cluster Autoscaler is not a native AWS service for ECS; it is generally used with Amazon EKS (Elastic Kubernetes Service) to manage node scaling, not for ECS task-level scaling. - Reason for Rejection: The use of a Network Load Balancer and Cluster Autoscaler would not meet the HTTPS requirement and would add unnecessary complexity to the solution. Option C: Configure the ECS services to use the blue/green deployment type and an Application Load Balancer. Implement an Aut...

Author: Manish · Last updated May 13, 2026

A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group. The company uses Amazon Elastic Container Registry (Amazon ECR) to store its container images. When a new image version is uploaded, the new image version receives a unique tag. The company needs a solution that inspects new image versions for common vulnerabilities and exposures. ...

Requirements Breakdown: 1. Vulnerability Scanning: The solution must scan container images for vulnerabilities and exposures, particularly focusing on Critical and High severity issues. 2. Automatic Deletion of Image Tags: If vulnerabilities with Critical or High severity are found, the solution must automatically delete the image tags associated with those images. 3. Notification to Development Team: The development team must be notified when such deletions occur. Evaluation of Each Option: Option A: - Description: Configure scan on push for the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images with Critical or High severity findings. The state machine deletes the image tag and notifies the team via Amazon SNS. - Evaluation: - Scan on Push: This is a good solution, as it ensures every time a new image is pushed to Amazon ECR, it is automatically scanned for vulnerabilities. - EventBridge and Step Functions: Amazon EventBridge is a powerful event-driven architecture service that can detect when a scan completes, and AWS Step Functions provides a robust way to orchestrate multiple tasks (like deleting image tags and sending notifications). - SNS for Notifications: Amazon SNS is an excellent choice for notifying the development team in real-time. - Reason for Selection: This solution is a fully automated and scalable workflow. It uses native AWS services to inspect images, delete vulnerable tags, and notify the team. Event-driven architecture is suitable for the use case, as it allows seamless triggering of actions when a scan result is available. Option B: - Description: Configure scan on push. Send scan results to an SQS queue, then invoke a Lambda function to delete the image tag and notify the development team via Amazon SES. - Evaluation: - Scan on Push: This is good for ensuring that newly pushed images are scanned for vulnerabilities. - SQS for Results: Using an SQS queue to store scan results is viable, but it introduces extra steps compared to using EventBridge, which is a more direct integration for handling events. - Lambda Function: The Lambda function is responsible for deleting image tags and notifying the development team. While this is feasible, SES (Simple Email Service) might be overcomplicated for notifications. SNS would...

Author: Manish · Last updated May 13, 2026

A company runs many workloads on AWS and uses AWS Organizations to manage its accounts. The workloads are hosted on Amazon EC2. AWS Fargate. and AWS Lambda. Some of the workloads have unpredictable demand. Accounts record high usage in some months and low usage in other months. The company wants to optimize its compute costs over the next 3 years. A solutions architect obtains a 6-month a...

Let's evaluate each option in terms of cost savings potential and scalability across multiple accounts and services, considering the given scenario where workloads are hosted on EC2, AWS Fargate, and AWS Lambda, with unpredictable demand. Key Factors: 1. Compute Usage: The organization uses a combination of EC2 instances, AWS Fargate, and AWS Lambda, each with potentially different billing models and usage patterns. 2. Unpredictable Demand: Some workloads have unpredictable demand, which can make it difficult to accurately forecast long-term usage for specific EC2 instance types or sizes. 3. Organization-wide Savings: The solution should optimize costs for the entire organization, which is managed under AWS Organizations, and should provide flexibility to accommodate fluctuating usage across accounts. Option A: Purchase Reserved Instances for the organization to match the size and number of the most common EC2 instances from the member accounts. - Evaluation: - Reserved Instances (RIs) are beneficial for workloads with predictable, steady usage, but they are tied to specific instance types and sizes, which makes them inflexible. - Since the company has unpredictable demand, it might not be able to accurately predict which EC2 instances will be most commonly used in the future. - RIs are also linked to specific Availability Zones, which may not be optimal in a dynamic environment with fluctuating demand. - Reason for Rejection: Purchasing Reserved Instances based on the most common EC2 instance types might not be cost-effective in the face of fluctuating or unpredictable demand. Additionally, RIs are less flexible and don’t apply to other services like AWS Fargate or Lambda. Option B: Purchase a Compute Savings Plan for the organization from the management account by using the recommendation at the management account level. - Evaluation: - Compute Savings Plans provide flexibility as they apply to a wide range of services, including EC2 (both On-Demand and Reserved Instances), AWS Fargate, and Lambda. - This option allows the company to commit to a certain level of compute usage over a 1- or 3-year period while benefiting from significant cost savings, without being tied to specific instance types or sizes. This is ideal for unpredictable workloads and varying service usage across multiple accounts. - Compute Savings Plans are applicable at the organization level, so purchasing one from the management account will apply to all member ...

Author: Matthew · Last updated May 13, 2026

A company has hundreds of AWS accounts. The company uses an organization in AWS Organizations to manage all the accounts. The company has turned on all features. A finance team has allocated a daily budget for AWS costs. The finance team must receive an email notification if the organization's AWS costs exceed 80% of the allocated budget. A...

Let's analyze each of the proposed solutions: Option A: AWS Budgets with SNS notifications - Explanation: AWS Budgets is designed for setting custom cost and usage budgets. You can create a daily budget and set an alert threshold (like 80%) when the budget is exceeded. It integrates with Amazon SNS to send notifications to a specific email address or a list of recipients. - Key Benefits: - Directly aligns with the requirement to track costs and send notifications based on a set threshold. - Simple to implement as AWS Budgets is a dedicated tool for this task. - Can be configured at the organization level (management account) to apply across all accounts. - Rejection Reason: No significant reasons to reject here. This is a straightforward solution and is designed to handle budget alerts. Option B: AWS Trusted Advisor with Organizational View for Cost Optimization - Explanation: AWS Trusted Advisor helps to monitor AWS best practices, including cost optimization. It offers reports and alerts on various areas, including cost optimization, but it’s not specifically designed for custom budget thresholds. - Key Benefits: - Trusted Advisor can alert on cost optimization issues and resource utilization. - Rejection Reason: - Not a budget tracking tool: Trusted Advisor isn't specifically built for tracking and notifying based on a predefined budget threshold (like 80% of the budget), which is the core requirement. - Limited to specific insights: It focuses more on recommendations and best practices rather than actively managing and notifying about predefined cost thresholds. Option C: AWS Control Tower with cost control guardrail - Explanation: AWS Control Tower is used for governance and central management of multi-account environments, and it includes optional guar...

Author: StarlightBear · Last updated May 13, 2026

A company provides auction services for artwork and has users across North America and Europe. The company hosts its application in Amazon EC2 instances in the us-east-1 Region. Artists upload photos of their work as large-size. high-resolution image files from their mobile phones to a centralized Amazon S3 bucket created in the us-east-1 Region. The user...

Let's analyze each option for improving the performance of the image upload process for users in Europe: Option A: Redeploy the application to use S3 Multipart Uploads - Explanation: S3 Multipart Uploads enable users to upload large files by splitting them into smaller parts, which can be uploaded in parallel. Once all parts are uploaded, they are combined into a single file. This can significantly speed up the upload process for large files and improve reliability (if a part fails, only that part needs to be re-uploaded). - Key Benefits: - Multipart uploads are beneficial for handling large files as they increase throughput and reduce the time required to upload large images. - Rejection Reason: - Doesn't address regional performance: While multipart uploads improve file upload efficiency, it doesn't specifically solve the issue of slow uploads for users in Europe, who might experience latency due to the distance between them and the S3 bucket in the US East region. Multipart uploads won't reduce this geographical latency. Option B: Create an Amazon CloudFront distribution and point to the application as a custom origin - Explanation: CloudFront is a content delivery network (CDN) that can cache content at edge locations closer to end users. If CloudFront is used as a CDN with S3 as the origin, it can accelerate read operations (like downloading images) but not directly improve upload performance. - Key Benefits: - Useful for reducing latency for users when downloading or retrieving files that are cached in CloudFront’s edge locations. - Rejection Reason: - Doesn't improve upload performance: CloudFront speeds up read operations but doesn't enhance the performance of uploading files, as the CDN is primarily designed to accelerate content delivery rather than upload processes. Therefore, CloudFront isn't the solution for improving image upload performance. Option C: Configure the buckets to use S3 Transfer Accelera...

Author: Olivia · Last updated May 13, 2026

A company wants to containerize a multi-tier web application and move the application from an on-premises data center to AWS. The application includes web. application, and database tiers. The company needs to make the application fault tolerant and scalable. Some frequently accessed data must always be available across application servers. Frontend web servers nee...

To meet the requirements of fault tolerance, scalability, and reduced operational overhead, let's analyze each solution and see how well it addresses the company's needs: Requirements: 1. Fault Tolerance & Scalability: The application must scale to meet increased traffic and handle failures gracefully. 2. Frequent Data Availability: Some data must always be accessible across application servers. 3. Session Persistence: The frontend web servers need session persistence to maintain user session state. 4. Minimal Operational Overhead: The solution should require the least ongoing management after deployment. A) Run the application on Amazon ECS on AWS Fargate. Use Amazon EFS for data that is frequently accessed between the web and application tiers. Store the frontend web server session data in Amazon Simple Queue Service (Amazon SQS). - Pros: - AWS Fargate abstracts infrastructure management, so you don't need to manage EC2 instances, which reduces operational overhead. - Amazon EFS provides a managed file system that can be mounted across multiple containers, making it easy to share frequently accessed data between the web and application tiers. - Cons: - Amazon SQS is not an ideal choice for session persistence. SQS is a messaging service, not designed to store session data, which could lead to complexity and inefficiency. - While Fargate offers scalability, the use of SQS for session persistence is a poor design choice for session data that needs to be frequently accessed and kept alive across requests. Reason for rejection: While Fargate simplifies management, SQS is not suitable for session persistence, and the overall solution might not be as efficient or aligned with the application's needs. B) Run the application on Amazon ECS on Amazon EC2. Use Amazon ElastiCache for Redis to cache frontend web server session data. Use Amazon EBS with Multi-Attach on EC2 instances that are distributed across multiple Availability Zones. - Pros: - Amazon ElastiCache for Redis is a perfect fit for session persistence, providing fast in-memory storage for session data that can be shared across multiple web servers. - EBS Multi-Attach enables sharing block storage across multiple EC2 instances, providing a shared volume for frequently accessed data. - Cons: - Running ECS on EC2 requires you to manage EC2 instances, which adds operational overhead compared to Fargate. This solution involves managing EC2 instances, scaling groups, and load balancers. - EBS Multi-Attach does not allow you to easily scale the underlying storage solution without more complex management. Reason for rejection: While ElastiCache for Redis is a good choice for session persistence, managing EC2 instances increases operational overhead. The solution could be simpler with...

Author: Emma Brown · Last updated May 13, 2026

A solutions architect is planning to migrate critical Microsoft SQL Server databases to AWS. Because the databases are legacy systems, the solutions architect will move the databases to a modern data architecture. The solutions archite...

Requirements: - Near-zero downtime: The migration must minimize or eliminate downtime during the transition. - Modern data architecture: The solution should migrate the legacy Microsoft SQL Server database to a modern AWS service. - Legacy system consideration: Since this is a legacy system, the migration should support SQL Server's specific features, ensuring compatibility during the transition. A) Use AWS Application Migration Service and the AWS Schema Conversion Tool (AWS SCT). Perform an in-place upgrade before the migration. Export the migrated data to Amazon Aurora Serverless after cutover. Repoint the applications to Amazon Aurora. - Pros: - AWS Application Migration Service helps with lift-and-shift migrations with minimal downtime. - AWS SCT can convert the database schema for Aurora, making it easier to migrate from SQL Server to Aurora. - Aurora Serverless is scalable and can reduce infrastructure management overhead. - Cons: - The migration to Amazon Aurora involves moving from SQL Server to a different database engine, which might introduce compatibility issues. - Performing an in-place upgrade before migration could lead to unnecessary complexity and potential downtime during the upgrade. - This option does not meet the requirement of near-zero downtime, as the database will need to be fully migrated, cut over, and repointed, which can involve downtime. Reason for rejection: Migrating to Aurora from SQL Server introduces complexity with potential compatibility issues, and the overall migration process is not optimized for near-zero downtime. B) Use AWS Database Migration Service (AWS DMS) to rehost the database. Set Amazon S3 as a target. Set up change data capture (CDC) replication. When the source and destination are fully synchronized, load the data from Amazon S3 into an Amazon RDS for Microsoft SQL Server DB instance. - Pros: - AWS DMS enables near-zero downtime migration by using Change Data Capture (CDC), which continuously replicates data between the source and target databases while the source system is still operational. - This allows the application to continue running without major disruption. - Amazon RDS for SQL Server is fully managed, so ongoing maintenance and scaling are simplified. - Cons: - Loading data from Amazon S3 into RDS after CDC replication may require extra steps and some manual processes. - RDS migration may not fully leverage the original SQL Server setup, but the core migration strategy supports near-zero downtime. Reason for rejection: While AWS DMS is a good tool for migration, the added complexity of ...

Author: IronLion88 · Last updated May 13, 2026

A company's solutions architect is analyzing costs of a multi-application environment. The environment is deployed across multiple Availability Zones in a single AWS Region. After a recent acquisition, the company manages two organizations in AWS Organizations. The company has created multiple service provider applications as AWS PrivateLink-powered VPC endpoint services in one organization. The company has created multiple service consumer applications in the other organization. Data transfer charges are much higher than the company expected, and the solutions architect needs to red...

To reduce data transfer charges in the described multi-organization environment, the solutions architect needs to focus on strategies that minimize the need for inter-Availability Zone (AZ) data transfers and the associated costs. Let’s evaluate each of the options: Option A: Use AWS Resource Access Manager to share the subnets that host the service provider applications with other accounts in the organization - Explanation: AWS Resource Access Manager (RAM) allows sharing resources across AWS accounts in the same organization, such as subnets and VPCs. This would allow the service consumer applications in different accounts to use the service provider applications without needing separate VPC endpoints. - Key Benefits: - Sharing subnets can help reduce cross-account data transfer charges and simplify architecture, but it does not necessarily reduce cross-AZ data transfer charges. - Rejection Reason: - Does not address cross-AZ transfer issues: While this can help with some networking and resource management, it doesn't directly address minimizing data transfer between different Availability Zones, which is the primary cost issue. Option B: Place the service provider applications and the service consumer applications in AWS accounts in the same organization - Explanation: By placing the service provider and service consumer applications in the same organization, the company can reduce the costs associated with cross-account data transfer. However, this doesn't specifically address the more significant concern, which is reducing inter-AZ data transfer costs. - Key Benefits: - Reduces cross-account data transfer costs. - Rejection Reason: - Does not solve inter-AZ transfer costs: This guideline primarily addresses cross-account data transfer rather than inter-AZ data transfer. If applications are deployed in different AZs, data transfer between those AZs will still incur charges. Option C: Turn off cross-zone load balancing for the Network Load Balancer in all service provider application deployments - Explanation: By default, Network Load Balancer (NLB) in AWS supports cross-zone load balancing. Turning off this feature can h...

Author: Harper · Last updated May 13, 2026

A company has an on-premises Microsoft SQL Server database that writes a nightly 200 GB export to a local drive. The company wants to move the backups to more robust cloud storage on Amazon S3. The company has set up a 10 Gbps AWS Direct Connect connection...

To meet the requirements, we need to determine the most cost-effective and reliable way to store the nightly 200 GB database export files in AWS S3 using an established 10 Gbps AWS Direct Connect connection. Let’s evaluate the given options based on key factors like cost, performance, and integration with Amazon S3. Key Considerations: 1. Cost-Effectiveness: The solution should minimize costs, considering the data volume (200 GB per night) and the ongoing operation of the solution. 2. Performance: Since there is a high-speed 10 Gbps AWS Direct Connect connection, performance must ensure smooth and fast data transfer. 3. Cloud Storage Integration: The data ultimately needs to be stored in Amazon S3, so the solution should be able to move the data from an on-premises system into S3 efficiently. 4. Backup and Redundancy: The company may need to manage backups or ensure the data is stored redundantly. Let’s review each option: Option A: AWS Storage Gateway file gateway - Explanation: The Storage Gateway file gateway provides an SMB share on-premises that can be used to move data to Amazon S3. This is an appropriate option when you need to transfer files to S3 with minimal setup. - Advantages: - S3-native integration: Files are transferred directly into S3 without needing additional file systems. - Simple to set up. - Cost-effective since it leverages the native S3 storage, which is typically cheaper than other storage solutions. - Disadvantages: - The file gateway is a good choice for file-based data but doesn't necessarily provide as high-performance access as some other AWS file storage options. - File gateway performance might be limited by the file system, though the Direct Connect connection helps mitigate this. Option B: Amazon FSx for Windows File Server (Single-AZ) - Explanation: FSx for Windows File Server provides a fully managed Windows file system that supports SMB shares. A single-AZ file system could be cost-effective and performant for on-premises to cloud migrations, but it lacks multi-AZ redundancy. - Advantages: - Full SMB file system support. - Can be used for high-performance file-based workloads. - Integrates well with Direct Connect. - Disadvantages: - Costlier compared to Storage Gateway because it requires provisioning and maintaining a managed Windows file system. - Single-AZ file system lack...

Author: MoonlitPantherX · Last updated May 13, 2026

A company needs to establish a connection from its on-premises data center to AWS. The company needs to connect all of its VPCs that are located in different AWS Regions with transitive routing capabilities between VPC networks. The company also must reduce network outbound traffic costs, increase...

To determine the best solution for establishing a connection from an on-premises data center to AWS, while meeting the requirements of transitive routing capabilities, reducing network outbound traffic costs, increasing bandwidth throughput, and providing a consistent network experience, let's evaluate each option based on the company's needs. Key Factors for Evaluation: 1. Transitive Routing: The ability to route traffic between VPCs in different AWS Regions is critical. 2. Reduced Network Outbound Traffic Costs: A solution that minimizes costs by reducing the reliance on the public internet or VPN tunneling will be more cost-effective. 3. Increased Bandwidth Throughput: We need a solution that allows for high throughput, especially since bandwidth needs to be robust. 4. Consistent Network Experience: This requires a reliable connection that doesn’t experience fluctuations in latency or performance. 5. Scalability: As the network grows and new VPCs are added, the solution should be scalable. Option A: AWS Site-to-Site VPN connection with VPC Peering - Explanation: Create an AWS Site-to-Site VPN connection from the on-premises data center to a central VPC. Then, create VPC peering connections from the central VPC to all other VPCs. - Advantages: - Simple to set up. - Inexpensive for smaller setups. - Disadvantages: - VPC peering does not support transitive routing, so this would not allow for routing traffic between all VPCs. Each VPC would need to be directly connected to every other VPC, which creates a complex and non-scalable network architecture. - Doesn’t effectively address the need for reduced outbound traffic costs and increased throughput. - Scalability issues as the number of VPCs grows. - VPN-based connections would not provide as reliable or high-throughput performance as other solutions. Option B: AWS Direct Connect with Transit Gateway in Each Region - Explanation: Set up a Direct Connect connection from the on-premises data center to AWS, provision a transit virtual interface (VIF), and connect this to a Direct Connect gateway. The Direct Connect gateway then connects to a transit gateway in each region. - Advantages: - Direct Connect offers high bandwidth throughput and low latency, making it ideal for high-performance requirements. - A Direct Connect gateway allows for a transitive connection between VPCs across multiple regions via the transit gateways. - Reduced outbound traffic costs since the data flows through Direct Connect rather than the public internet. - Disadvantages: - More complex to set up and manage due to the involvement of multiple transit gateways and regions. - Requires a more extensive setup of Direct Connect and Tra...

Author: Ryan · Last updated May 13, 2026

A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions archit...

To meet the requirement of creating an IAM user in the management account that can stop or terminate resources in both member accounts, we need a solution that allows the user in the management account to perform actions on resources in other accounts, while adhering to the principle of least privilege. Key Factors for Evaluation: 1. Cross-Account Access: The user in the management account must have the ability to manage resources in other member accounts (development and production accounts). 2. Least Privilege Access: The user should only have permissions to stop or terminate resources in the member accounts and not broader permissions. 3. Separation of Roles: Ideally, the member accounts should have separate management for roles and permissions, rather than requiring manual duplication of permissions in each account. Option A: IAM User and Cross-Account Role in the Management Account - Explanation: Create an IAM user in the management account and a cross-account role with least privilege access to the member accounts. - Advantages: - The IAM user in the management account can assume the cross-account role in each member account to gain the necessary permissions. - Clean and efficient use of cross-account roles for access management. - Disadvantages: - The main issue is that the cross-account role should be created in each member account, not the management account, for the management user to assume the role in the member accounts. Therefore, this option doesn’t fully address the requirement, as the roles need to be in the member accounts. Option B: IAM User in Each Member Account and Cross-Account Role in the Management Account - Explanation: Create an IAM user in each member account, and in the management account, create a cross-account role with least privilege access. Grant the IAM users access to the cross-account role by using a trust policy. - Advantages: - This option provides fine-grained control in each account by granting individual IAM users in each member account the ability to assume a cross-account role. - Cross-account roles allow for secure, controlled access across accounts. - Disadvantages: - This solution requires managing IAM users in every member account, which adds complexity and administrative overhead. This is not ideal when we only need o...

Author: SilverBear · Last updated May 13, 2026

A company wants to use AWS for disaster recovery for an on-premises application. The company has hundreds of Windows-based servers that run the application. All the servers mount a common share. The company has an RTO of 15 minutes and an RPO of 5 minutes. The solution must ...

To meet the company's disaster recovery (DR) requirements—specifically the Recovery Time Objective (RTO) of 15 minutes, Recovery Point Objective (RPO) of 5 minutes, and the need for native failover and fallback capabilities—let's analyze the different options provided. Key Requirements: - RTO of 15 minutes: The solution must ensure that failover happens quickly. - RPO of 5 minutes: Data replication must occur with minimal latency. - Native Failover and Fallback: The solution must allow for both automatic and manual failover and fallback between the on-premises and AWS environments. - Cost-Effectiveness: The solution should balance reliability and operational cost. Option A: AWS Storage Gateway File Gateway with Daily Backups - Explanation: The file gateway provides an interface for connecting on-premises environments to cloud storage like Amazon S3. It requires daily backups to Amazon S3, and recovery occurs by restoring the servers from the backups during a disaster. - Advantages: - Simple and cost-effective for backup and recovery. - Disadvantages: - This solution does not meet the RTO of 15 minutes because recovery is based on daily backups, which typically takes longer than 15 minutes. Additionally, backups do not allow for near-real-time replication, which doesn't meet the RPO of 5 minutes. - It lacks native failover and fallback capabilities—manual intervention is needed to restore the servers. - This option is slow and inefficient for a DR solution that requires low downtime and rapid recovery. Option B: CloudFormation Templates and AWS DataSync for EFS Replication - Explanation: This option involves creating CloudFormation templates for infrastructure and using AWS DataSync to replicate data to Amazon EFS. During a disaster, CodePipeline would deploy templates to restore on-premises servers. - Advantages: - EFS provides a scalable, managed file system for file-based workloads, and DataSync ensures fast data transfer. - CloudFormation can automate infrastructure creation and management. - Disadvantages: - The RTO might not be met, especially if infrastructure needs to be deployed during the disaster. CodePipeline and CloudFormation might take too long to restore the on-premises servers. - RPO is also at risk because replication via DataSync can be delayed depending on the data amount. - Failback is not as seamless as other options, since DataSync would need to be used to move data back to the on-premises servers, which could be complex and time-consuming. - The process is more complicated and could lead to delays, which does not align with the company’s strict DR requirements. Option C: AWS CDK with Multi-S...

Author: Ishaan · Last updated May 13, 2026

A company has built a high performance computing (HPC) cluster in AWS for a tightly coupled workload that generates a large number of shared files stored in Amazon EFS. The cluster was performing well when the number of Amazon EC2 instances in the cluster was 100. However, when the company increased the cluster size to 1.000 EC2 instances, overall performance was well bel...

To achieve maximum performance from the high-performance computing (HPC) cluster in AWS, several design considerations need to be made. These design choices address both the limitations of Amazon Elastic File System (EFS) for tightly coupled workloads and the optimization of network and storage configurations for high throughput and low latency. Key Factors: - HPC Performance: Tightly coupled workloads often require fast, low-latency, and high-throughput storage solutions. - Scalability: As the number of EC2 instances increases, the solution needs to scale effectively to avoid bottlenecks. - Network: In a large HPC cluster, the network performance between EC2 instances and storage must be optimized. Option A: Ensure the HPC cluster is launched within a single Availability Zone - Explanation: Launching all instances within a single Availability Zone reduces network latency because instances communicate within the same zone. - Advantages: - This choice can improve network performance for EC2 instances. - Disadvantages: - A single Availability Zone might become a bottleneck for large-scale HPC workloads, especially if the cluster size increases. It also reduces fault tolerance and availability. - For a large cluster, using a single Availability Zone could result in suboptimal scaling for compute and storage capacity. Option B: Launch the EC2 instances and attach elastic network interfaces in multiples of four - Explanation: This option focuses on network performance and could help improve throughput by adding multiple network interfaces to the instances. - Advantages: - This would provide more network bandwidth and help with scaling by allowing EC2 instances to better handle large data transfers. - Disadvantages: - While this can help in certain scenarios, simply adding network interfaces without considering the overall network configuration and bottlenecks in storage is not likely to solve the main problem of I/O performance with Amazon EFS in a large cluster. Option C: Select EC2 instance types with an Elastic Fabric Adapter (EFA) enabled - Explanation: EFA provides low-latency, high-throughput networking between EC2 instances, which is ideal for tightly coupled workloads in HPC environments. - Advantages: - EFA enables HPC workloads to achieve higher networking performance by providing RDMA (Remote Direct Memory Access) capabilities, reducing network latency and improving overall throughput between EC2 instances. - This is crucial for workloads that require high inter-instance communication and low-latency access to storage. - Disadvantages: - EFA is only available with certain EC2 instance types (e.g., specific instance families such as `c5n` or `p4d`). This requires the right selection of instance types. Option D: Ensure the cluster is launched across multiple Availability Zones - Explanation: Launching the HPC cluster across multiple Availability Zone...

Author: Alexander · Last updated May 13, 2026

A company is designing an AWS Organizations structure. The company wants to standardize a process to apply tags across the entire organization. The company will require tags with specific values when a user creates a new resource. Ea...

Solution Analysis In this scenario, the company wants to enforce tagging policies in AWS Organizations across multiple Organizational Units (OUs) with unique tag values. Each OU needs its own set of tag values, and tags are required when resources are created. Let's break down the provided options to see which one meets the requirements most effectively. Key Requirements: 1. Standardized process for applying tags: Tags must be applied to resources upon creation. 2. Unique tag values for each OU: Each Organizational Unit should have different tag values. 3. Tagging enforcement: There must be a mechanism to ensure tags are applied when new resources are created. Option A: Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the OUs. - Reasoning: This solution uses an SCP (Service Control Policy) to deny the creation of resources without the required tags. This is a strong approach to enforcing tagging policies at the organization level. Additionally, the use of a Tag Policy with specific values for each OU provides the flexibility to apply different tags per OU, which is essential for the company's requirement of unique tag values per OU. - Why Selected: The combination of using an SCP for enforcement and Tag Policies for specific tag values assigned to each OU is the most appropriate solution. This ensures that the resources are created with the necessary tags, and the company can have flexibility for different OUs. Option B: Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the organization's management account. - Reasoning: This option would allow the creation of a tag policy, but attaching it only to the management account limits the effectiveness of the policy across all OUs. The management account would not ensure that the tag policies are applied across all OUs; therefore, it wouldn't meet the company's need for applying unique tags to different OUs. - Why Rejected: The lack of...

Author: Amira99 · Last updated May 13, 2026

A company has more than 10,000 sensors that send data to an on-premises Apache Kafka server by using the Message Queuing Telemetry Transport (MQTT) protocol. The on-premises Kafka server transforms the data and then stores the results as objects in an Amazon S3 bucket. Recently, the Kafka server crashed. The company lost sensor data while the server was being restored. A solut...

To meet the requirements of creating a highly available and scalable solution on AWS for sensor data ingestion, data transformation, and storage, let's analyze each option carefully: Key Requirements: 1. High Availability: The solution should ensure that the system remains available even if there are failures, preventing data loss during downtimes. 2. Scalability: The system should scale easily to handle a large number of sensors (more than 10,000) sending data concurrently. 3. Data Loss Prevention: The solution should ensure that data is not lost, even during failures or crashes, and that it is transformed and stored reliably. 4. Minimal Operational Overhead: The solution should be automated and require minimal ongoing management. A) Launch two Amazon EC2 instances to host the Kafka server in an active/standby configuration across two Availability Zones. Create a domain name in Amazon Route 53. Create a Route 53 failover policy. Route the sensors to send the data to the domain name. - Pros: - Active/Standby configuration across multiple Availability Zones ensures redundancy, so if one EC2 instance fails, the other can take over. - Route 53 failover policy provides automatic routing in case of instance failure, ensuring availability. - Cons: - This solution still relies on self-managed EC2 instances for Kafka, which requires ongoing maintenance and monitoring. - The configuration doesn't inherently scale easily to accommodate the growing number of sensors. Kafka scaling, especially with a self-managed approach, can be challenging and prone to failure under high load. - There's still potential for data loss if the failover process isn't seamless or if the system can't handle the sudden surge in data during failover. Reason for rejection: While this provides some redundancy, it still requires manual management of EC2 instances and Kafka itself. It's not as scalable or fault-tolerant as managed services and introduces operational overhead. B) Migrate the on-premises Kafka server to Amazon Managed Streaming for Apache Kafka (Amazon MSK). Create a Network Load Balancer (NLB) that points to the Amazon MSK broker. Enable NLB health checks. Route the sensors to send the data to the NLB. - Pros: - Amazon MSK is a fully managed service that handles Kafka clusters' scalability, availability, and fault tolerance automatically. This ensures high availability and scalability without needing to manage Kafka servers manually. - Amazon MSK is designed to handle large-scale data streams with automatic failover and replication across multiple Availability Zones, reducing the risk of data loss. - The Network Load Balancer (NLB) can route traffic efficiently to MSK brokers, and enabling health checks ensures that traffic is routed only to healthy brokers, preventing data loss due to broker failure. - Cons: - The use of an NLB here seems unnecessary since Amazon MSK is already a managed service that provides its own endpoints for clients to connect to. - While ...

Author: Grace · Last updated May 13, 2026

A company recently started hosting new application workloads in the AWS Cloud. The company is using Amazon EC2 instances. Amazon Elastic File System (Amazon EFS) file systems, and Amazon RDS DB instances. To meet regulatory and business requirements, the company must make the following changes for data backups: * Backups must be retained based on custom daily, weekly, and monthly requirements. * Backups must be replicated to at least one other AWS Region immediately after capture. * The backup solution must provide a single source of backup status a...

Solution Analysis The company has specific backup requirements, including retention policies (daily, weekly, and monthly), cross-region replication of backups, centralized backup status monitoring, and immediate failure notifications. We need to find a solution that minimizes operational overhead while fulfilling these requirements. Key Requirements: 1. Custom Retention: The solution must allow backups to be retained according to custom daily, weekly, and monthly schedules. 2. Cross-Region Replication: Backups must be automatically replicated to another AWS Region right after capture. 3. Centralized Backup Status: A single source of backup status across the AWS environment. 4. Failure Notifications: The backup solution should send immediate notifications upon failure. Option A: Create an AWS Backup plan with a backup rule for each of the retention requirements. - Reasoning: AWS Backup allows you to create backup plans with rules for different retention policies. You can define daily, weekly, and monthly backups within a single backup plan. This simplifies management by using AWS Backup to handle backup retention without requiring manual management for each resource. - Why Selected: AWS Backup is a centralized service that handles backup management, including retention, across different AWS resources such as EC2, EFS, and RDS. Using AWS Backup ensures the retention requirements are easily met and reduces manual configuration overhead. Option B: Configure an AWS Backup plan to copy backups to another Region. - Reasoning: AWS Backup supports cross-region backup copy functionality. This allows you to automatically replicate backups to another region, fulfilling the requirement for replication to at least one other AWS Region immediately after capture. - Why Selected: This option is critical for ensuring compliance with the regulatory requirement of cross-region backup replication. AWS Backup automates this process, reducing operational overhead for manual replication setups. Option C: Create an AWS Lambda function to replicate backups to another Region and send notifications if a failure occurs. - Reasoning: While a Lambda function could be used to replicate backups and send failure notifications, this approach adds complexity and manual intervention. AWS Backup already offers a simpler and more efficient way to replicate backups to another Region, and it includes built-in support for notifications. - Why Rejected:...

Author: NightmareDragon2025 · Last updated May 13, 2026

A company is developing a gene reporting device that will collect genomic information to assist researchers with collecting large samples of data from a diverse population. The device will push 8 KB of genomic data every second to a data platform that will need to process and analyze the data and provide information back to researchers. The data platform must meet the following requirements: * Provide near-real-time analytics of the inbound geno...

Solution Analysis The company needs a data platform capable of handling near-real-time genomic data that is flexible, parallel, and durable. The solution should also deliver processed results to a data warehouse. Let's analyze the options to identify the best strategy that meets these requirements. Key Requirements: 1. Near-real-time analytics: The solution should allow quick analysis of the data as it arrives. 2. Flexible, parallel, and durable: The data platform should handle high throughput, be scalable, and ensure durability. 3. Deliver results to a data warehouse: The processed data should be saved to a data warehouse for further analysis. Option A: Use Amazon Kinesis Data Firehose to collect the inbound sensor data, analyze the data with Kinesis clients, and save the results to an Amazon RDS instance. - Reasoning: Amazon Kinesis Data Firehose is primarily designed for batch and stream data delivery to destinations like S3, Redshift, or Elasticsearch. It is more suited for data delivery and not for real-time processing or complex analytics. Kinesis clients can analyze the data, but using Amazon RDS for a high-throughput genomic data pipeline may not be the best fit due to RDS's limited scalability in comparison to other options like Amazon Redshift or Amazon EMR. - Why Rejected: This solution does not fully satisfy the need for scalable, parallel, real-time analytics. RDS is less suited for handling large-scale parallel analytics, and Kinesis Firehose does not provide the real-time processing capability required. Option B: Use Amazon Kinesis Data Streams to collect the inbound sensor data, analyze the data with Kinesis clients, and save the results to an Amazon Redshift cluster using Amazon EMR. - Reasoning: Kinesis Data Streams allows for real-time data collection and provides the ability to scale and process data in parallel. This fits the requirement for high throughput and flexible, parallel processing. Kinesis clients can analyze the data, and using Amazon EMR for large-scale data processing provides flexibility and scalability. Finally, the results can be stored in Amazon Redshift, which is optimized for analytics and data warehousing. - Why Selected: This option meets the company's requirements for real-time analytics, flexibility, parallel processing, durability, and integration wi...

Author: Oliver · Last updated May 13, 2026

A solutions architect needs to define a reference architecture for a solution for three-tier applications with web. application, and NoSQL data layers. The reference architecture must meet the following requirements: * High availability within an AWS Region * Able to fail over in 1 minute to another AWS Region for disaster recovery * Provide the...

Solution Analysis The company needs a reference architecture for a three-tier application (web, application, and NoSQL data layers) that meets the following requirements: 1. High availability within an AWS Region: The solution must be highly available within a single region. 2. Disaster recovery (DR) with failover within 1 minute: The solution must enable quick failover to another region for disaster recovery. 3. Efficient solution with minimal impact on user experience: The solution should be efficient and not disrupt the user experience during failover or regular operation. Let's analyze each option to find the best combination that meets these requirements. Option A: Use an Amazon Route 53 weighted routing policy set to 100/0 across the two selected Regions. Set Time to Live (TTL) to 1 hour. - Reasoning: This approach uses weighted routing in Amazon Route 53 to direct all traffic to the primary region (100%) and none to the disaster recovery (DR) region (0%). Setting a TTL of 1 hour would mean that clients will continue to route traffic to the primary region even if there is an issue for up to an hour, which is not ideal for a disaster recovery scenario that requires failover within 1 minute. - Why Rejected: A weighted routing policy with a 1-hour TTL would not meet the requirement for a quick failover in case of a disaster, as it will cause significant delay in routing traffic to the DR region. The high TTL could create long delays before switching to the backup region. Option B: Use an Amazon Route 53 failover routing policy for failover from the primary Region to the disaster recovery Region. Set Time to Live (TTL) to 30 seconds. - Reasoning: Using a failover routing policy with Route 53 is ideal for disaster recovery. The failover routing policy can detect health issues in the primary region and immediately route traffic to the disaster recovery region. A TTL of 30 seconds ensures a fast failover, minimizing downtime and providing quick recovery in case of an outage. - Why Selected: This option provides the most efficient failover mechanism, ensuring traffic is redirected to the DR region in case of failure within 1 minute. The low TTL helps achieve the required fast failover, and Route 53’s failover policy ensures high availability and minimal disruption. Option C: Use a global table within Amazon DynamoDB so data can be accessed in the two selected Regions. - Reasoning: Amazon DynamoDB global tables allow for multi-region, fully replicated databases with low-latency reads and writes in multiple regions. This solution ensures that the data layer is available and consistent across the primary and disaster recovery regions. - Why Selected: A global table for DynamoDB ensures that data is replicated across regions and can be accessed in both the primary and disaster recovery regions, thus meeting the requirement for high availability and fast disaster recovery with...

Author: Amira99 · Last updated May 13, 2026

A company manufactures smart vehicles. The company uses a custom application to collect vehicle data. The vehicles use the MQTT protocol to connect to the application. The company processes the data in 5-minute intervals. The company then copies vehicle telematics data to on-premises storage. Custom applications analyze this data to detect anomalies. The number of vehicles that send data grows constantly. Newer vehicles generate high volumes of data. The on-premises storage solution is not able to scale for peak tr...

Let's break down the available options for modernizing the company's solution while addressing the scaling challenges and minimizing operational overhead: Option A: AWS IoT Greengrass, Apache Kafka, Amazon S3, Amazon SageMaker - Pros: - AWS IoT Greengrass is a great solution for edge processing (collecting data at the edge before sending it to the cloud), and it integrates well with Amazon MSK (Apache Kafka). - SageMaker provides pre-built models for anomaly detection, which could simplify the implementation of machine learning for detecting anomalies. - Cons: - High operational overhead: Managing Apache Kafka is complex and requires significant operational effort. It involves provisioning, scaling, monitoring, and troubleshooting. - Not fully serverless: While Apache Kafka can scale, it still requires substantial management to handle peak traffic and high-volume data. - Overengineering: Using Apache Kafka and SageMaker for anomaly detection introduces unnecessary complexity, especially when simpler, fully-managed alternatives exist. This option is rejected because of its high operational overhead, which conflicts with the goal of minimizing operational effort. Option B: AWS IoT Core, Kinesis Data Firehose, Amazon S3, Kinesis Data Analytics - Pros: - AWS IoT Core offers a fully managed service for connecting IoT devices (like the smart vehicles), with little operational effort required. - Amazon Kinesis Data Firehose is fully managed, scales automatically, and can deliver data directly to Amazon S3, with minimal configuration. - Kinesis Data Analytics offers a simple way to analyze streaming data in real-time, and it integrates well with the rest of the AWS ecosystem. - Cons: - Kinesis Data Analytics is not specialized for anomaly detection, so you would have to implement custom logic for detecting anomalies, which can increase complexity. - Operational complexity: Even though the services are managed, creating custom anomaly detection logic in Kinesis Data Analytics might still require ongoing tuning and management. While this is a good option with minimal operational overhead, it still requires custom logic for anomaly detection, which is not as optimal as using a more specialized service. Option C: AWS IoT FleetWise, Kinesis Data Streams, Kinesis Data Firehose, AWS Glue - Pros...

Author: Oliver · Last updated May 13, 2026

During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this sec...

Let's evaluate each of the options based on the need to automatically detect and remediate the security vulnerability of IAM user secret access keys being committed in code repositories. Option A: Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials - Pros: - AWS Systems Manager can be used to run scripts on instances, which could potentially search for credentials stored on the instances. - AWS Secrets Manager can handle credential rotation effectively. - Cons: - Not directly related to CodeCommit: This approach focuses on scanning the development instances, not the code repository where the credentials are actually stored. - Nightly scans are not timely enough to address immediate security risks since the credentials are already exposed in the repository. - Operational overhead: Manually rotating credentials and scanning instances will introduce significant overhead and complexity, and it does not address the core issue of the credentials being in the code. This option is rejected because it does not address the immediate concern of finding credentials in the code repository and has higher operational overhead. Option B: Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS - Pros: - Lambda is serverless and automatically scales, making it a good option for periodic scanning. - It can directly target CodeCommit, which is the source of the issue, and can help detect when credentials are committed. - AWS KMS can be used to securely store and manage the credentials, though it doesn’t directly prevent the issue of credential exposure in the code. - Cons: - Generating new credentials and storing them in KMS is reactive, and it doesn’t fully solve the underlying issue. It would only remediate after the problem has already occurred (i.e., credentials are already committed). - This solution does not prevent the issue from occurring in the first place or provide any means of notifying users or enforcing security controls in real-time. This option is rejected because it is reactive rather than proactive and does not provide a comprehensive solution. Option C: Configure Amazon Macie to scan for credentials in C...

Author: Jack · Last updated May 13, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company hosts an application on AWS. The application reads and writes objects that are stored in a single Amazon S3 bucket. The company must modify the application to deploy the application in two AWS Reg...

A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company's security team also must receive an email notification every time there is an attempt to delete dat...

A company is designing a new website that hosts static content. The website will give users the ability to upload and download large files. According to company requirements, all data must be encrypted in transit and at rest. A solutions architect is building the solution by usi...

A company needs to migrate its customer transactions database from on premises to AWS. The database resides on an Oracle DB instance that runs on a Linux server. According to a new security requirement, the company must rotate the database ...

A solutions architect is designing an AWS account structure for a company that consists of multiple teams. All the teams will work in the same AWS Region. The company needs a VPC that is connected to the on-premises network. The company expects less than 50 Mbps of total traffic to and f...

A company uses AWS Organizations to manage its AWS accounts. The company needs a list of all its Amazon EC2 instances that have underutilized CPU or memory usage. The company also needs recommendations for how to downsize the...

A solutions architect is planning to migrate critical Microsoft SQL Server databases to AWS. Because the databases are legacy systems, the solutions architect will move the databases to a modern data architecture. The solutions archite...

A company has an on-premises Microsoft SQL Server database that writes a nightly 200 GB export to a local drive. The company wants to move the backups to more robust cloud storage on Amazon S3. The company has set up a 10 Gbps AWS Direct Connect connection...

A company wants to use AWS for disaster recovery for an on-premises application. The company has hundreds of Windows-based servers that run the application. All the servers mount a common share. The company has an RTO of 15 minutes and an RPO of 5 minutes. The solution must ...

A company is designing an AWS Organizations structure. The company wants to standardize a process to apply tags across the entire organization. The company will require tags with specific values when a user creates a new resource. Ea...

During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this sec...