Design for Organizational Complexity

Question 1

How to add accounts from another AWS Organization to your existing Security Hub?

Answer 1

Send invites from a Security Hub administrator account

Question 2

Tool to transport VPC flow logs to Amazon OpenSearch

Answer 2

Amazon Kinesis Firehose

Question 3

Infrastructure as code when you want to allow users to use the templates without granting them direct permissions to create resources

Answer 3

AWS Proton

Question 4

Tool to generate daily cost and usage reports for an Organization that are saved to S3

Answer 4

AWS Cost and Usage Reports

Question 5

Which tool to set up a WordPress site for someone with zero AWS experience

Answer 5

Lightsail

Question 6

To Handle private DNS for multiple VPCs in S3, do you

A. Create a Private Hosted Zone for each VPC and configure replication between them.

B. Create a single Private Hosted Zone and associate each VPC with it as you create them.

Answer 6

B. Create a single Private Hosted Zone and associate each VPC with it as you create them.

Question 7

How to trigger events when someone deploys an AWS Service Catalog product?

Answer 7

Amazon CloudWatch to monitor Service Catalog and trigger a Lambda or Step Function.

Question 8

You currently have Route53 configured to route www.example.com to an ELB. How would you also allow users to use example.com

Answer 8

Create an alias record that routes example.com to the ELB.

Question 9

What tool for an automated lift-and-shift solution to migrate a wide variety of servers and OSs?

Answer 9

AWS Application Migration Service

Question 10

How to handle single sign on for on-prem Active Directory

Answer 10

AWS SSO

Question 11

How to enable your Direct Connect to access VPCs in other regions.

Answer 11

Set up a private virtual interface for your Direct Connect connection to a Direct Connect gateway and associate the Direct Connect gateway with the virtual private gateway of the VPC.

Question 12

How to have Route 53 use an on-premises DNS resolver

Answer 12

In the Route 53 Resolver:

1. Create an outbound endpoint.
2. Define rules to specify which DNS queries are to be forwarded to the on-premises DNS resolver

Question 13

How to have RDS instance storage adapt to additional storage requirements without manual intervention?

Answer 13

Enable Storage autoscaling

Question 14

What service to transfer files over FTP?

Answer 14

AWS Transfer Family

Question 15

Tool for log analytics

Answer 15

Amazon OpenSearch

Question 16

CloudWatch metric to determine available storage for an RDS instance

Answer 16

FreeStorageSpace

Question 17

Recommended way to share Lake Formation database tables across accounts

Answer 17

Lake Formation tag-based access control (LF-TBAC)

Question 18

Solution to redirect users to different sites based on device type.

Answer 18

Use a Lambda@Edge function with Cloudfront

Question 19

Tool to require all accounts in an Organization to back up all DynamoDB tables weekly?

Answer 19

AWS Backup to define policies and AWS Organizations to enable them.

Question 20

Which tool to establish relationships with on-prem Active Directory directories

Answer 20

AWS Directory Service for Microsoft Active Directory

Question 21

How do you implement multiple statement elements for a Service Control Policy?

Answer 21

Combine then into one statement element with an object array.

Question 22

How to integrate VPCs on newly acquired accounts into a hub-and-spoke network architecture

Answer 22

Initiate a peering attachment between the hub gateway and all new VPCs. Setup routes on the spoke VPCs to direct traffic .

Question 23

Does Lambda@Edge guarantee the persistence of global variables?

Answer 23

No

Question 24

CloudWatch metric to determine available storage for an Aurora DB

Answer 24

FreeLocalStorage

Question 25

Should business units with shared security requirements share an Organizational Unit?

Answer 25

No, business units should have their own Organizational Unit

Question 26

What are the two types of AWS Config Aggregators?

Answer 26

Individual accounts aggregators and organization aggregators

Question 27

What section of a business should have its own accounts within an Organizational Unit

Answer 27

Project groups. Business units should have an Organizational Unit that contains those accounts.

Question 28

How do you restrict a service-linked role with a SCP?

Answer 28

You can’t.

Question 29

How to have a single Aurora database span multiple regions?

Answer 29

Amazon Aurora Global Database

Question 30

S3 Routing based on the location of your users?

Answer 30

Geolocation routing

Question 31

S3 Routing based on the location of your resources?

Answer 31

Geoproximity routing

Question 32

What is active-passive failover?

Answer 32

When your secondary group of resources are on standby until a failover happens

Question 33

What is active-active failover?

Answer 33

When your resources in different regions are all primary resources and the failover simply bypasses any that aren’t working

Question 34

What types of subnets can an Elastic IP be used in?

Answer 34

Public only

Question 35

What is the minimum number of Availability Zones you can use for Multi-AZ RDS?

Answer 35

2

Question 36

How to allow an account in an Organization to not share its Reserved Instances?

Answer 36

You have to turn off sharing on the master account for that OU

Question 37

Your ECS cluster cannot access ECR. What do you do?

Question 38

Trusted access vs cross-account access

Answer 38

Trusted access for accounts in the same Organization. Cross-account access for accounts outside of the Organization.