Practice Exam - 3 Flashcards

Question

**An application consists of three tiers within a single Region. A Solutions Architect is designing a disaster recovery strategy that includes an RTO of 30 minutes and an RPO of 5 minutes for the data tier. Application tiers use Amazon EC2 instances and are stateless. The data tier consists of a 30TB Amazon Aurora database.** **Which combination of steps satisfies the RTO and RPO requirements while optimizing costs? (Select TWO.)** 1. Create a cross-Region Aurora Replica of the database 2. Deploy a hot standby of the application tiers to another Region 3. Use AWS DMS to replicate the Aurora DB to an RDS database in another Region. 4. Create snapshots of the Aurora database every 5 minutes. 5. Create daily snapshots of the EC2 instances and replicate them to another Region.

Answer 1

1. **Create a cross-Region Aurora Replica of the database** 2. **Deploy a hot standby of the application tiers to another Region** 3. Use AWS DMS to replicate the Aurora DB to an RDS database in another Region. 4. Create snapshots of the Aurora database every 5 minutes. 5. Create daily snapshots of the EC2 instances and replicate them to another Region.

Answer 2

1. **Put the application instances in an Amazon EC2 Auto Scaling group. Configure the Auto Scaling group to create new instances if an instance becomes unhealthy.** 2. Move the Java content to an Amazon S3 bucket configured for static website hosting. Configure cross-Region replication for the S3 bucket contents. 3. **Migrate the database to Amazon RDS for MySQL Configure the RDS instance to use a Multi-AZ deployment.** 4. **Configure the application to store the user's session in Amazon ElastiCache. Use Application Load Balancers to distribute the load between application instances.** 5. Configure the application to run in multiple Regions. Use an Application Load Balancer to distribute the load between application instances. 6. Migrate the database to Amazon EC2 instances in multiple Availability Zones. Configure Multi-AZ to synchronize the changes.

Answer 3

1. Modify the shell script to ensure that individual files are being copied rather than directories. 2. Connect directly to the USB interface on the Snowball Edge device and copy the files locally. 3. Cluster two Snowball Edge devices together to increase the throughput of the devices. 4. **Perform multiple copy operations at one time by running each command from a separate terminal window, in separate (Correct) instances of the Snowball client.**

Answer 4

1. **Use Amazon DynamoDB with a global table across both Regions so reads and writes can occur in either location.** 2. **Run the web and application tiers in both Regions in an active/active configuration. Use Auto Scaling groups for the web and application layers across multiple Availability Zones in the Regions. Use zonal Reserved Instances for the minimum number of servers and On-Demand Instances for any additional resources.** 3. **Use an Amazon Route 53 failover routing policy for failover from the primary Region to the disaster recovery Region. Set Time to Live (TTL) to 30 seconds.** 4. Use an Amazon Aurora global database across both Regions so reads and writes can occur in either location. 5. Run the web and application tiers in both Regions in an active/active configuration. Use Auto Scaling groups for the web and application layers across multiple Availability Zones in the Regions. Use Spot Instances for the required resources. 6. Use an Amazon Route 53 weighted routing policy set to loo/o across the two selected Regions. Set Time to Live (TTL) to 30 minutes.

Answer 5

1. Use AWS Lambda to synchronize the contents of the GitHub repository to AWS CodeCommit. Use AWS CodeDeploy to create and execute a change set. Configure CodeDeploy to test the environment using testing scripts run by AWS CodeBuild. 2. Use AWS CodePipeline to create and execute a change set when updates are made to the CloudFormation templates in GitHub. Include a CodePipeline action to test the deployment with testing scripts run using AWS CodeDeploy. Upon successful testing, configure CodePipeline to execute the change set and deploy to production. 3. Use AWS Lambda to synchronize the contents of the GitHub repository to AWS CodeCommit. Use AWS CodeBuild to create and execute a change set from the templates in GitHub. Configure CodeBuild to test the deployment with testing scripts. 4. **Use AWS CodePipeline to create a change set when updates are made to the CloudFormation templates in GitHub. Include a CodePipeline action to test the deployment with testing scripts run using AWS CodeBuild. Upon successful testing, configure CodePipeline to execute the change set and deploy to production.**

Answer 6

1. Migrate the Oracle data warehouse to an Amazon ElastiCache for Redis cluster using AWS DMS. 2. **Migrate the MySQL databases to Amazon RDS for MySQL using AWS DMS.** 3. **Migrate the Oracle data warehouse to Amazon Redshift using AWS SCT and AWS DMS.** 4. Lift and shift the Oracle data warehouse to Amazon EC2 using AWS Snowball. 5. Lift and shift the MySQL databases to Amazon EC2 using AWS Snowball.

Answer 7

1. Check the ACLs for all S3 buckets. 2. Check the bucket policies for all S3 buckets. 3. Check for the permissions boundaries set for the lAM user. 4. **Check if an appropriate lAM role is attached to the lAM user.** 5. **Check the SCPs set at the organizational units (OUs).**

Answer 8

1. Attach each VPC to a shared transit gateway. Use an egress VPC with firewall appliances in two AZs and attach the transit gateway. 2. Attach each VPC to a centralized transit VPC with a VPN connection to each standalone VPC. Outbound internet traffic will be controlled by firewall appliances. 3. **Attach each VPC to a shared transit gateway. Use an egress VPC with firewall appliances in two AZs and connect the transit gateway using IPSec VPNs with BGP.** 4. Attach each VPC to a shared centralized VPC. Configure VPC peering between each VPC and the centralized VPC. Configure a NAT gateway in two AZs within the centralized VPC.

Answer 9

1. **Redeploy the application to use Amazon S3 multipart upload.** 2. Create an Amazon CloudFront distribution with the S3 bucket as an origin. 3. Modify the Amazon S3 bucket to use Intelligent Tiering. 4. Configure the client application to use byte-range fetches. 5. **Configure the S3 bucket to use S3 Transfer Acceleration.**

Answer 10

1. Use an Application Load Balancer (ALB) in front of the application instance. Use a friendly DNS entry in Amazon Route 53 pointing to the ALBs internet facing a fully qualified domain name (FQDN). 2. **Enable AWS Shield Advanced on all public-facing resources.** 3. **Use a Network Load Balancer (NLB) in front of the application instance. Use a friendly DNS entry in Amazon Route 53 pointing to the NLBs Elastic IP address.** 4. Define an AWS WAF rule to explicitly drop non-UDP traffic and associate the rule with the load balancer. 5. **Configure a network ACL rule to block all non-UDP traffic. Associate the network ACL with the subnets that hold the load balancer instances.** 6. Use AWS Global Accelerator with an Elastic Load Balancer as an endpoint

Answer 11

1. Create an AWS Batch compute environment for each Lambda function. Configure an AWS Batch job queue for the computer environment. Create a Lambda function to retrieve a list of files and write each item to the job queue. 2. Create a Lambda function to retrieve a list of files and write each item to an Amazon SQS queue. Subscribe the metadata extraction Lambda functions to the SQS queue with a large batch size. 3. Create an AWS Step Functions workflow to run the Lambda functions in parallel. Create another Step Functions workflow that retrieves a list of files and executes a metadata extraction workflow for each one. 4. **Create an AWS Step Functions workflow to run the Lambda functions in parallel. Create a Lambda function to retrieve a list of files and write each item to an Amazon SQS queue. Configure or the SQS queue as an input to the Step Functions workflow.**

Answer 12

1. **Update the DNS service on the Active Directory servers to forward all non-authoritative queries to the VPC Resolver.** 2. Define an inbound Amazon Route 53 Resolver. Set a conditional forwarding rule for the Active Directory domain to the Active Directory servers. Configure the DNS settings in the VPC DHCP options set to use the AmazonProvidedDNS servers. 3. Update the DNS service on the Active Directory servers to forward all queries to the VPC Resolver. 4. **Define an outbound Amazon Route 53 Resolver. Set a conditional forwarding rule for the Active Directory domain to the Active Directory servers. Configure the DNS settings in the VPC DHCP options set to use the AmazonProvidedDNS servers.** 5. Configure the DNS service on the EC2 instances in the VPC to use the VPC resolver server as the secondary DNS server.

Answer 13

1. Create an AWS CloudTrail trail that tracks data events. Configure Amazon CloudWatch to monitor the trail and trigger an alarm when billing metrics exceed a certain threshold. 2. Create an Amazon Cloud Watch metric for billing. Create a custom alert when costs exceed the budgetary threshold. 3. Install the unified Cloud Watch Agent on the RedShift cluster hosts. Track the billing metric data in CloudWatch and trigger an alarm when a threshold is reached. 4. **Create an AWS Service Catalog portfolio for each team. Add each team's Amazon RedShift cluster as an AWS CloudFormation template to their Service Catalog portfolio as a Product.** 5. **Update the AWS CloudFormation template to include the AWS:: Budgets::Budget::resource with the NotificationsWithSubscribers property.**

Answer 14

1. Create a new private virtual interface for the existing DX connection, and create a new VPN that connects to the VPC over the DX private virtual interface. 2. Create a client VPN endpoint and configure the users’ computers to use an AWS client VPN to connect to the VPC over the Internet. 3. Create a new Site-to-Site VPN that connects to the VPC over the internet. 4. **Create a new public virtual interface for the existing DX connection, and create a new VPN that connects to the VPC over the DX public virtual interface.**

Answer 15

1. Create an Amazon EFS file system with the throughput mode set to Provisioned. Mount the EFS file system to the EC2 operating system. 2. **Change the PIOPS volume for a 1-TB EBS General Purpose SSD (gp2) volume.** 3. Create an Amazon EFS file system with the performance mode set to Max I/O. Mount the EFS file system to the EC2 operating system. 4. Change the PIOPS volume for a 1-TB Throughput Optimized HDD (st1) volume.

Answer 16

1. Store the data in Amazon DocumentDB in two Regions. Use AWS DMS to synchronize data between databases. Run the web service on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer in each Region. In Amazon Route 53, configure an alias record and a failover routing policy. 2. Store the data in Amazon S3 buckets in two Regions and configure cross Region replication. Create an Amazon CloudFront distribution that points to multiple origins. Use Amazon API Gateway and AWS Lambda for the web frontend and configure Amazon Route 53 with an alias record pointing to the REST API. 3. **Store the data in an Amazon DynamoDB global table in two Regions using on-demand capacity mode. Run the web service in both Regions as Amazon ECS Fargate tasks in an Auto Scaling ECS service behind an Application Load Balancer (ALB). In Amazon Route 53, configure an alias record and a latency-based routing policy with health checks to distribute traffic between the two ALBs.** 4. Store the data in Amazon Aurora global databases. Add Auto Scaling replicas to both Regions. Run the web service on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer in each Region. In Amazon Route 53, configure an alias record and a multi-value routing policy.

Answer 17

1. Use Tag Editor to tag existing resources. Create cost allocation tags to define the cost center and project ID and allow 24 hours for tags to activate. 2. **Use Tag Editor to tag existing resources. Create cost allocation tags to define the cost center and project ID. Use SCPs to restrict the creation of resources that do not have the cost center and project ID tags specified.** 3. Create cost allocation tags to define the cost center and project ID and allow 24 hours for tags to activate. Use permissions boundaries to restrict the creation of resources that do not have the cost center and project ID tags specified. 4. Use an AWS Config rule to check for untagged resources. Create a centralized AWS Lambda based solution to tag untagged EC2 instances and RDS databases every hour using a cross-account role.

Answer 18

1. Deploy instances across at least three Availability Zones. 2. **Deploy Amazon EC2 instances in a cluster placement group.** 3. Use Amazon EC2 instances that support burstable performance. 4. **Use Amazon EC2 instance types and AMIs that support EFA.** 5. Deploy Amazon EC2 instances in a partition placement group.

Answer 19

1. **Use the Block Public Access feature in Amazon S3 to set the lgnorePublicAcls option to TRUE on the bucket.** 2. Configure server access logging and monitor the log files to check for unauthorized access. 3. Modify the settings on the S3 bucket to enable default encryption for all objects. 4. Use the Block Public Access feature in Amazon S3 to set the BlockPublicPolicy option to TRUE on the bucket.

Answer 20

1. The company should create an lAM role and assign the required permissions to the lAM role. The customer should then use the lAM roles Amazon Resource Name (ARN) when requesting access to perform the required tasks. 2. The company should provide the customer with their AWS account access keys to log in and perform the required tasks. 3. **The company should create an lAM role and assign the required permissions to the lAM role. The customer should then use the lAM roles Amazon Resource Name (ARN), including the external ID in the lAM role’s trust policy, when requesting** 4. The company should create an lAM user and assign the required permissions to the lAM user. The company should then provide the credentials to the customer to login and perform the required tasks.

Answer 21

1. **Deploy the AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission to manage the instances.** 2. Deploy a Linux bastion host with an Elastic IP address in the public subnet. Allow access to the bastion host from 0.0.0.0/0. 3. Deploy a server on the corporate network that can be used for managing EC2 instances. Update the security groups to allow connections over SSH and RDP from the on-premises management server only. 4. Configure an IPSec Virtual Private Network (VPN) connecting the corporate network to the Amazon VPC. Update security groups to allow connections over SSH and RDP from the corporate network only.

Answer 22

1. **Specify DISABLED for Auto-assign public IP when launching the task and configure a NAT gateway in a public subnet to route requests to the internet.** 2. Enable dual-stack in the Amazon ECS account settings and configure the network for the task to use awsvpc. 3. Specify **ENABLED** for **Auto-assign public IP** when launching the task. 4. Specify **DISABLED** for **Auto-assign public IP** when launching the task and configure a NAT gateway in a private subnet to route requests to the internet.

Answer 23

1. Check the security group for the EC2 instances to ensure it allows ingress from the NLB subnets. 2. Check the security group for the NLB to ensure it allows egress to the private subnet. 3. **Check the security group for the EC2 instances to ensure it allows ingress from the customer office.** 4. Check the security group for the NLB to ensure it allows ingress from the customer office.

Answer 24

1. A linear deployment 2. **A canary deployment** 3. An all-at-once deployment 4. A blue/green deployment

Answer 25

1. Add Aurora Replicas and define a scaling policy. Use a Network Load Balancer and set the load balancing algorithm type to round\_robin. 2. Add Aurora Replicas and define a scaling policy. Use an Application Load Balancer and set the load balancing algorithm type to least\_outstanding\_requests. 3. Add Aurora Replicas and define a scaling policy. Use a Network Load Balancer and set the load balancing algorithm type to least\_outstanding\_requests. 4. **Add Aurora Replicas and define a scaling policy. Use an Application Load Balancer and set the load balancing algorithm type to round\_robin.**

Answer 26

1. Use AWS Savings Plans to configure budget thresholds and send alerts to management. 2. **Apply environment, cost center, and application name tags to all resources that accept tags.** 3. Use Amazon CloudWatch to create a billing alarm that notifies managers when a billing threshold is reached or exceeded. 4. Configure custom budgets and define thresholds using AWS Cost Explorer. 5. **Create an AWS Service Catalog portfolio for each business unit and add products to the portfolios using AWS CloudFormation templates.**

Answer 27

1. Enable versioning on the amazon S3 buckets and enable cross-Region snapshots. 2. **Enable DynamoDB global tables to achieve multi-Region table replication.** 3. **Enable Amazon Route S3 health checks to determine if the primary site is down, and route traffic to the disaster recovery site if there is an issue.** 4. **Enable Amazon S3 cross-Region replication on the buckets that contain images.** 5. Enable multi-Region targets on the Elastic Load Balancer and target Amazon EC2 instances in both Regions. 6. Enable DynamoDB Streams and use an event-source mapping to a Lambda function which populates a table in the second Region.

Answer 28

1. **Create a DX connection to a second AWS Region. Use DynamoDB global tables to replicate data to the second Region. Modify the application to fail over to the second Region.** 2. Create a DX connection to a second AWS Region. Create an identical DynamoDB table in the second Region. Enable DynamoDB auto scaling to manage throughput capacity. Modify the application to write to the second Region. 3. Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS DMS to synchronize data to the copied table. 4. Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS Lambda to synchronize data to the copied table.

Answer 29

1. **Define the AWS resources using JavaScript or TypeScript. Use the AWS Cloud Development Kit (AWS CDK) to create CloudFormation templates from the developer's code and use the AWS CDK to create Cloud Formation stacks. Incorporate the AWS CDK as a CodeBuild job in CodePipeline.** 2. Use a third-party resource provisioning engine inside AWS CodeBuild to standardize the deployment processes. Orchestrate the CodeBuild job using CodePipeline and use CloudFormation for deployment. 3. Use AWS SAM and specify a serverless transform. Add the JavaScript and Typescript code as metadata to the template file Use AWS CodeBuild to build the code and output a CloudFormation template. 4. Create CloudFormation templates and re-use para of the JavaScript and Typescript code as Instance user data. Use the AWS Cloud Development Kit (AWS CDK) to deploy the application using these templates. Incorporate the AWS CDK into CodePipeline and deploy the application to AWS using these templates.

Answer 30

1. Use AWS OpsWorks and deploy the application using a canary deployment strategy. 2. Use AWS CodeDeploy and deploy the application using an in-place update deployment strategy. 3. **Use AWS OpsWorks and deploy the application using a blue/green deployment strategy.** 4. Use AWS Elastic Beanstalk and deploy the application using a rolling update deployment strategy.

Answer 31

1. Deploy the application into a new CloudFormation stack. Use an Amazon Route 53 weighted routing policy to distribute the load. 2. Use AWS CodeDeploy to deploy using the CodeDeployDefault.HalfAtATime deployment configuration to distribute the load. 3. **Create an alias for new versions of the Lambda function. Use the AWS CLI update-alias command with the routing-config parameter to distribute the load.** 4. Create a version for every new update to the Lambda function code. Use the AWS CLI update-function-configuration command with the routing-config parameter to distribute the load.

Answer 32

1. Establish a Site-to-Site VPN from the on-premises data center to AWS. 2. Create a GraphQL API in AWS AppSync, create an AWS Lambda function to process the Amazon Kinesis data stream, and use the @connections command to send callback messages to connected clients. 3. **Establish an AWS Direct Connect connection from the on premises data center to AWS.** 4. **Create a WebSocket API in Amazon API Gateway, create an AWS Lambda function to process an Amazon Kinesis data stream, and use the @connections command to send callback messages to connected clients.** 5. Create an Amazon EC2 Auto Scaling group to pull the messages from the on-premises Kafka cluster and use the Amazon Consumer Library to put the data into an Amazon Kinesis data stream. 6. **Create an Amazon EC? Auto Scaling group to pull the messages from the on-premises Kafka cluster and use the Amazon Kinesis Producer Library to put the data into a Kinesis data stream.**

Answer 33

1. Store each incoming record as a single .csv file in an Amazon S3 bucket. Configure a lifecycle policy to delete data older than 90 days. 2. Store each incoming record in a single table in an Amazon RDS MySQL database. Run a nightly cron job that executes a query to delete any records older than 90 days. 3. **Store each incoming record in an Amazon DynamoDB table. Configure the DynamoDB Time to Live (TTL) feature to delete records older than 90 days.** 4. Store the records in an Amazon Kinesis Data Stream. Configure the Time to Live (TTL) feature to delete records older than 90 days.

Answer 34

1. **Enable an Elastic Fabric Adapter (EFA) on a supported EC2 instance type.** 2. Attach multiple elastic network interfaces (ENI) to reduce latency. 3. Ensure the cluster is launched across multiple Availability Zones. 4. **Replace Amazon EFS with Amazon FSx for Lustre.** 5. **Ensure the HPC duster is launched within a single Availability Zone.** 6. Replace Amazon EFS with multiple FXs for Windows File Server.

Answer 35

1. Deploy the applications in an Amazon ECS cluster and apply Service Auto Scaling. 2. Place the image processing EC2 instance into an Auto Scaling group. 3. **Create an Amazon CloudFront distribution in front of the processed images bucket** 4. **Replace the EC2 instance with AWS Lambda to run the image processing tasks.** 5. Replace the EC2 instance with Amazon Rekognition for image processing.

Answer 36

1. **Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the lAM identity provider.** 2. Use a custom-built SAML-compatible solution for authentication and use AWS SSO for authorization. 3. **Use a custom-built OpenID Connect-compatible solution for authentication and use Amazon Cognito for authorization.** 4. Create a custom-built LDAP connector using Amazon API Gateway and AWS Lambda for authentication. Use a token-based Lambda authorizer that uses JWT. 5. Use a custom-built OpeniD Connect-compatible solution with AWS SSO for authentication and authorization.

Answer 37

1. Host static website content in Amazon S3. Use 53 Transfer Acceleration to reduce latency while serving web pages. Use AWS WAF to improve website security. 2. **Host static website content in Amazon S3. Use Amazon CloudFront to reduce latency while serving web pages. Use AWS WAF to improve website security.** 3. Launch Amazon EC2 instances in two Availability Zones to host a highly available MySOL database cluster. 4. Migrate the database to a single-AZ Amazon RDS for MySQL DB instance. 5. **Create an Auto Scaling group of Amazon EC2 instances in two Availability Zones and attach an Application Load Balancer.** 6. **Migrate the database to an Amazon Aurora MySQL DB cluster configured for Multi-AZ.**

Answer 38

1. Modify the 53 upload process in the Development account to add the bucket-owner- full-control ACL to the objects at upload. 2. Create a new lAM role in the Development account with read access to the S3 bucket. Configure 53 to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Development Account 3. **Create a new cross-account lAM role in the Production account with write access to the S3 bucket Modify the build pipeline to assume this role to upload the files to the Production Account** 4. Modify the 53 upload process in the Development account to set the object owner to the Production Account.

Answer 39

1. Use local storage to cache query output. Use 53 COPY commands to sync the dataset to Amazon S3. Refactor the API to use Amazon EFS. Implement Amazon API Gateway and enable API caching. 2. Rehost the DB2 database to an Amazon EC2 instance. Migrate all the data. Enable caching using an instance store. Refactor the API to use the Amazon EC2 DB2 database. Implement Amazon API Gateway and enable API caching. 3. Export data on a daily basis and upload to Amazon S3. Refactor the API to use the S3 data. Implement Amazon API Gateway and enable API caching. 4. **Use AWS DMS to migrate data to Amazon DynamoDB using a continuous replication task. Refactor the API to use the DynamoDB data. Implement the refactored API in Amazon API Gateway and enable API caching**.

Answer 40

1. Deploy a Cl/CD pipeline that incorporates AMIs to contain the application and their configurations. Deploy the application by replacing Amazon EC2 instances. 2. **Use AWS Elastic Beanstalk and create a secondary environment configured as a deployment target for the Cl/CD pipeline. To deploy, swap the staging and production environment URLs.** 3. Use AWS CloudFormation StackSets to create production and staging stacks. Update the staging stack and use Amazon Route 53 weighted routing to point to the StackSet endpoint address. 4. Package updates into an Amazon EC2 AMI and update the Auto Scaling group to use the new AMI. Terminate existing instances in a staged approach to cause launches using the new AMI.

Answer 41

1. **Set up a 1 Gbps AWS Direct Connect connection. Then, provision a private virtual interface, and use AWS Server Migration Service (SMS) to migrate the VMs into Amazon EC2.** 2. Use an AWS Storage Gateway file gateway. Mount the file gateway and synchronize the VM file systems to cloud storage. Use the VM Import/Export to import from cloud storage to Amazon EC2. 3. Export the VMs locally, beginning with the most mission-critical servers first Use Amazon S3 Transfer Acceleration to quickly upload each VM to Amazon 53 after they are exported. Use VM Import/Export to import the VMs into Amazon EC2. 4. Migrate mission-critical VMs with AWS SMS. Export the other VMs locally and transfer them to Amazon S3 using AWS Snowball. Use VM Import/Export to import the VMs into Amazon EC2.

Answer 42

1. Create an Amazon SNS topic to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to invoke the Lambda function. 2. Update the Lambda function to be triggered by messages published to an Amazon SNS topic. Update the existing application code to retry every 5 minutes if the ticketing systems API endpoint is unavailable. 3. **Update the Lambda function to poll the Amazon SOS queue for messages and to return successfully when the ticketing system API has processed the request.** 4. Create an Amazon SOS queue to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to publish to the SOS queue. 5. **Create an Amazon Eventßridge rule with a pattern that looks for AWS CloudTrail events where the API calls involve the root user account. Configure an Amazon SQS queue as a target for the rule.**

Answer 43

1. **Configure a Lambda function to retrieve messages from an Amazon SQS queue. Modify the Lambda function to retrieve a maximum of 10 messages then batch the messages by Amazon Route 53 API call type and submit. Delete the messages from the SQS queue after successful API calls.** 2. Configure an Amazon SQS FIFO queue and configure a CloudWatch Events rule to use this queue as a target. Remove the Lambda target from the CloudWatch Events rule. 3. **Update the CloudWatch Events rule to trigger on Amazon EC2 “Instance Launch Successful'' and “Instance Terminate Successful” events for the Auto Scaling group used by the cluster.** 4. **Configure an Amazon SQS standard queue and configure the existing CloudWatch Events rule to use this queue as a target. Remove the Lambda target from the CloudWatch Events rule.** 5. Configure an Amazon Kinesis data stream and configure a CloudWatch Events mie to use this queue as a target Remove the Lambda target from the CloudWatch Events rule. 6. Configure a Lambda function to read data from the Amazon Kinesis data stream and configure the batch window to 5 minutes. Modify the function to make a single API call to Amazon Route 53 with all records read from the Kinesis data stream.

Answer 44

1. Create an AWS CodeDeploy application that pulls the latest container image from Amazon ECR. updates the container with code from the source AWS CodeCommit repository. and pushes the updated container image to Amazon ECR. 2. Create an AWS CodePipeline pipeline that sources the tool code from the AWS CodeCommit repository and initiates an AWS CodeDeploy application update. 3. **Create an AWS Codeßuild project that pulls the latest container image from Amazon ECR. updates the container with code from the source AWS CodeCommit repository, and pushes the updated container image to Amazon ECR**. 4. Create an Amazon Eventßridge rule that triggers on commits to the AWS CodeCommit repository for the image. Configure the event to trigger an update to the image in Amazon ECR. Push the updated container image to Amazon ECR. 5. **Create an Amazon ECR repository for the image. Create an AWS CodeCommit repository containing code for the tool being deployed to the container image in Amazon ECR.** 6. **Create an AWS CodePipeline pipeline that sources the tool code from the AWS CodeCommit repository and initiates an AWS CodeBuild build.**

Answer 45

1. Use an SCP in Organizations to implement a deny list of AWS services. Apply this SCP at the root level and each OU. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions, modify the SCP attached to that OU, and add the required AWS services to the allow list. 2. Use an SCP in Organizations to implement a deny list of AWS services. Apply this SCP at the root level. For any specific exceptions for an OU, create a new SCP for that OU and add the required AWS services to the allow list. 3. **Use an SCP in Organizations to implement a deny list of AWS services. Apply this SCP at each OU level. Leave the default AWS managed SCP attached to the root level and all OUs. For accounts that require specific exceptions. create an OU under root and attach an SCP that denies fewer services.** 4. Use an SCP in Organizations to implement an allow list of AWS services. Apply this SCP at the root level. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions for an OU. modify the SCP attached to that OU. and add the required AWS services to the allow list

Answer 46

1. Store the uploaded videos in Amazon EFS and mount the file system to the EC2 instances for the web application. Process the queue with an AWS Lambda function that calls the Amazon Rekognition API to perform facial analysis. 2. Use an Amazon S3 static website for the web application. Store uploaded videos in an S3 bucket Use S3 event notification to publish events to the SOS queue. Proœss the queue with Amazon ECS tasks using the Fargate launch type for running the custom recognition software. 3. Use an Amazon S3 static website for the web application. Store uploaded videos in an S3 bucket Use S3 event notification to publish events to the SOS queue. Process the queue with Amazon ECS tasks using the EC2 launch type for running the custom recognition software. 4. **Use an Amazon S3 static website for the web application. Store uploaded videos in an S3 bucket. Use S3 event notification to publish events to the SOS queue. Process the queue with an AWS Lambda function that calls the Amazon Rekognition API to perform facial analysis.**

Answer 47

1. Use Spot instance pricing for the RDS database and the EC2 instances in the Auto Scaling group. 2. **Reserve capacity for the RDS database and the minimum number of EC2 instances that are constantly running.** 3. Reserve capacity for the RDS database and the minimum number of EC2 instances that are constantly running. 4. Reserve capacity for all EC2 instances and leverage Spot Instance pricing for the RDS database.

Answer 48

1. Add a CachePolicyConfig to allow HTTP headers to be included in requests to the origin. 2. **Add a behavior to the CloudFront distribution for the path pattern and the origin of the static assets.** 3. **Add another origin to the CloudFront distribution for the static assets.** 4. Add a rule to the distribution to forward GET method requests to Amazon S3. 5. Add a host header condition to the ALB listener and forward the header from CloudFront to add traffic to the allow list

Answer 49

1. Implement the REST API using a Network Load Balancer (NLB). Run the business logic on an Amazon EC2 instance behind the NLB. Store trader session data in Amazon Aurora Serverless. 2. Implement the REST API using an Application Load Balancer (ALB). Run the business logic in AWS Lambda. Store trader session data in Amazon DynamoDB with on-demand capacity. 3. Implement the REST API using AWS AppSync. Run the business logic in AWS Lambda. Store trader session data in Amazon Aurora Serverless. 4. **Implement the REST API using Amazon API Gateway. Run the business logic in AWS Lambda. Store trader session data in Amazon DynamoDB with on-demand capacity.**

Answer 50

1. Use Amazon Kinesis Data Firehose to collect the inbound sensor data, analyze the data with Kinesis cIients and save the results to an Amazon RDS instance. 2. Use Amazon S3 to collect the inbound device data, analyze the data from Amazon SOS with Kinesis, and save the results to an Amazon Redshift cluster. 3. Use an Amazon API Gateway to put requests into an Amazon SOS queue. analyze the data with an AWS Lambda function, and save the results to an Amazon Redshift cluster using Amazon EMR. 4. **Use Amazon Kinesis Data Streams to collect the inbound data, analyze the data with Kinesis clients, and save the results to an Amazon Redshift cluster using Amazon EMR.**

Answer 51

1. Use AWS WAF to create a WebACL and filter based on the case of the que strings in the URL Configure WAF to trigger an AWS Lambda function that rewrites the URIS to lowercase. 2. Create a path pattern in the CloudFront distribution that forwards all requests to the origin with case-sensitivity turned off. 3. **Create a Lambda@Edge function to sort parameters by name and force them to be lowercase. Select the CloudFront viewer request trigger to invoke the function.** 4. Update the CloudFront distribution to disable caching based on query string parameters.

Answer 52

1. **Use the AWS Application Discovery Service agent for data collection on physical servers and Hyper-V. Use the AWS Agentless Discovery Connector for data collection on VMware. Store the collected data in Amazon S3. Query the data with Amazon Athena. Generate reports by using Amazon QuickSight.** 2. Use the AWS Application Discovery Service agent for data collection on physical servers and all VMs. Store the collected data in Amazon Elastic File System (Amazon EFS). Query the data and generate reports with Amazon Athena. 3. Use the AWS Systems Manager agent for data collection on physical servers. Use the AWS Agentless Discovery Connector for data collection on all VMs. Store, query. And generate reports from the collected data by using Amazon Redshift. 4. Use the AWS Agentless Discovery Connector for data collection on physical servers and all VMs. Store the collected data in Amazon S3. Query the data with S3 Select. Generate reports by using Kibana hosted on Amazon EC2.

Answer 53

1. Use AWS CodeBuild for automated testing. Use CloudFormation change sets to evaluate changes ahead of deployment. Use AWS CodeDeploy to leverage blue/green deployment patterns. 2. **Use AWS Codeßuild to detect and report CloudFormation error conditions when performing deployments. Deploy updates to a separate stack in a test account and use manual test plans to validate the changes.** 3. Use AWS CodeDeploy and a blue/green deployment pattern with CloudFormation to replace the lifecycle hooks. Gather feedback from users to identify issues that may require a rollback. 4. Move the application code to AWS CodeCommit Use CodeBuild to validate the application code and automate testing. Use CloudFormation StackSets to deploy updates to different environments to leverage a blue/green deployment pattern.

Answer 54

1. Use the AWS Billing and Cost Management console to create a reservation budget for Rl utilization, set the utilization to 70%. Configure an alert that notifies the DevOps team. 2. Use AWS Cost Explorer to create a budget for Rl coverage and set the threshold to 70%. Configure an alert that notifies the DevOps team. 3. **Use AWS Budgets to create a budget for Rl coverage and set the threshold to 70% Configure an alert that notifies the DevOps team.** 4. Use AWS Cost Explorer to configure a report for Rl utilization and set the utilization target to 70%. Configure an alert that notifies the DevOps team.

Answer 55

1. **Create an Auto Scaling group of Amazon EC2 instances across three availability zones behind an Application Load Balancer. Create an Amazon Aurora PostgreSQL database in one AZ and add Aurora Replicas in two more AZs.** 2. Create an Auto Scaling group of Amazon EC2 instances across three availability zones behind an Application Load Balancer. Create an Amazon Aurora Global database. 3. Create an Auto Scaling group of Amazon EC2 instances across three availability zones behind a Network Load Balancer. Create an Amazon RDS Multi-AZ PostgreSQL database in one AZ and standby instances in two more AZs. 4. Create an Auto Scaling group of Amazon EC2 instances across three availability zones behind a Network Load Balancer. Create an Amazon Aurora PostgreSQL database in one AZ with storage auto scaling enabled.

Answer 56

1. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB name and enable logging with Amazon CloudWatch Logs. Use an AWS Lambda function to frequently push the logs to the third-party auditing application. 2. **Configure a Multi-AZ Auto Scaling group using the application’s AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the WebACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.** 3. Configure a Multi-AZ Auto Scaling group using the applications AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target Use Amazon Inspector to monitor traffic to the ALB and EC2 instances. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB. Use an AWS Lambda function to frequently push the Amazon Inspector report to the third-party auditing application. 4. Configure an Application Load Balancer (ALB) along with a target group adding the EC2 instances as targets. Create an Amazon Kinesis Data Firehose with the destination of the third-party auditing application. Create a web ACL in WAR Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.

Answer 57

1. Create an lAM role for each project that requires access to AWS resources. Attach an inline policy document to the role that specifies the lAM users that are allowed to assume the role, with full control of the resources that belong to the project. Update the policy document when the set of resources changes, or developers change projects. 2. **Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to an lAM group. Change the group membership when developers change projects. Update the policy document when the set of resources changes.** 3. Create a policy document for each project with specific project tags and allow full control of the resources with a matching tag. Attach the project-specific policy document to the lAM role for that project Change the role assigned to the developer’s lAM user when they change projects. Assign a specific project tag to new resources when they are created. 4. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to the developer’s lAM user when they change projects. Update the policy document when the set of resources changes.

Answer 58

1. Create an AWS WAF web ACL with a mie to allow access to the IP addresses used by the companies. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method. 2. **Create an AWS WAF web ACL with a mie to allow access to the IP addresses used by the companies. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.** 3. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than ten requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the GET method. 4. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than ten requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAl can execute the GET method.

Answer 59

1. Check that local firewall rules are not preventing access to the S3 endpoint. 2. Ensure that blocking all public access has not been enabled in the S3 bucket 3. **Verify that the lAM role has permission to decrypt the referenced KMS key.** 4. Verify that the IAM role has the correct trust relationship configured.

Answer 60

1. Disable encryption by running the CreateDßlnstnace API operation and setting the StorageEncrypted parameter to false. 2. Create an unencrypted read replica of the encrypted DB instance and then promote the read replica to primary. 3. **Export the data from the DB instance and import the data into an unencrypted DB instance.** 4. Create an unencrypted snapshot of the DB instance and create a new unencrypted DB instance from the snapshot

Answer 61

1. Use logical cross-Region replication to replicate the Aurora MySQL database to a secondary Region. Replace the web servers with Amazon S3. Configure cross-Region replication for the S3 buckets. 2. **Use Amazon Route 53 with a latency-based routing policy. Create Auto Scaling groups for the web and application tiers and deploy them in multiple global Regions.** 3. Create Auto Scaling groups for the web and application tiers and deploy them in multiple global Regions. Setup an AWS Direct Connect connection. 4. Migrate the database from Amazon Aurora to Amazon RDS for MySOL Replace the web and application tiers with AWS Lambda functions, create an Amazon SQS queue. 5. **Configure an Aurora global database for storage-based cross-Region replication. Use Amazon S3 with cross-Region replication for static content and resources and create Amazon CloudFront distributions.**

Answer 62

1. **Create a VPC Endpoint Service that accepts TCP traffic and hosts it behind a Network Load Balancer. Enable access to the IT services over the DX connection.** 2. Create a VPC Endpoint Service that accepts HTTP or Hill’S traffic and hosts it behind an Application Load Balancer. Enable access to the IT services over the DX connection. 3. Configure a mesh of AWS VPN CloudHub iPsec VPN connections between the customer AWS accounts and the service provider AWS account 4. Attach an internet gateway to the VPC and ensure that network access control and security group mies allow the relevant inbound and outbound traffic.

Answer 63

1. **Migrate the NAS data to AWS using AWS Storage Gateway.** 2. Launch new Amazon EC2 instances and reinstall all applications. 3. Copy infrequently accessed data from the NAS using AWS SMS. 4. **Migrate the virtual machines with AWS SMS.** 5. Migrate the NAS data to AWS using AWS Snowball.

Answer 64

1. Refactor the applications to Docker containers and deploy them to an Amazon ECS cluster behind an Application Load Balancer. 2. Use Amazon EBS cross-Region replication to create an AMI for each application, run the AMI on Amazon EC2. 3. **Deploy each application to a single-instance AWS Elastic Beanstalk environment without a load balancer.** 4. Use AWS SMS to create an AMI for each virtual machine, run the AMI on Amazon EC2.

Answer 65

1. **Migrate the database to an Amazon RDS Aurora MYSQL configuration. Host the web application on an Auto Scaling configuration of Amazon EC2 instances behind an Application Load Balancer. Use Amazon AppStream 2.0 to improve the user experience.** 2. Migrate the database to an Amazon RDS MySQL Multi-AZ configuration. Host the web application on automatically scaled AWS Fargate containers behind a Network Load Balancer. Use Amazon ElastiCache to improve the user experience. 3. Migrate the database to a MySQL database in Amazon EC2. Host the web application on automatically scaled Amazon ECS containers behind an Application Load Balancer. Allocate an Amazon WorkSpaces WorkSpace for each end user to improve the user experience. 4. Migrate the database to an Amazon EMR cluster with at least two nodes. Deploy the web application on automatically scaled Amazon ECS containers behind an Application Load Balancer. Use Amazon CloudFront to improve the user experience.

Answer 66

1. **Convert the API Gateway Regional endpoint to an edge-optimized endpoint. Enable caching in the production stage.** 2. Create usage plans in API Gateway and distribute API keys to clients. Configure metered access to the production stage. 3. Implement an Amazon ElastiCache for Redis cache to store the results of the database calls. Modify the Lambda functions to use the cache. 4. Modify the instance type of the Aurora database duster to use an instance with more memory.

Answer 67

1. **Use GitHub webhooks to trigger the CodePipeline pipeline. Use the Jenkins plugin for AWS CodeBuild to conduct unit testing. Send alerts to an Amazon SNS topic for any bad builds. Deploy in a blue/green deployment using AWS CodeDeploy.** 2. Use GitHub websockets to trigger the CodePipeline pipeline. Use AWS X-Ray for unit testing and static code analysis. Send alerts to an Amazon SNS topic for any bad builds. Deploy in a blue/green deployment using AWS CodeDeploy. 3. Use GitHub websockets to trigger the CodePipeline pipeline. Use the Jenkins plugin for AWS CodeBuild to conduct unit testing. Send alerts to an Amazon SNS topic for any bad builds. Deploy in an in-place, all-at-once deployment configuration using AWS CodeDeploy. 4. Use GitHub webhooks to trigger the CodePipeline pipeline. Use AWS X-Ray for unit testing and static code analysis. Send alerts to an Amazon SNS topic for any bad builds. Deploy in an in-place, all-at-once deployment configuration using AWS CodeDeploy.

Answer 68

1. Edit the cloudhsm\_clientcfg document to import a key and register the key for signing. 2. Use AWS lAM to create a policy that requires a minimum of three crypto officers (COs) to configure the minimum number of approvals required to perform HSM user management operations. 3. **Using the cloudhsm\_mgmt\_util command line tool, enable encrypted communication, login as a CO, and set the Quorum minimum value to two using the setMValue command.** 4. **Using the cloudhsm\_mgmt\_util command line tool, enable encrypted communication, login as a CO, and register a key for signing with the registerMofnPubKey command.** 5. Using the cloudhsm\_mgmt\_util command line tool, enable encrypted communication, login as a CO, and get a Quorum token with the getToken command.

Answer 69

1. Create an Amazon CloudFront distribution and place the ALB behind the distribution. Store static content in Amazon 53 in an Infrequent Access storage class. 2. **Use an Amazon S3 bucket for static images and use the Intelligent Tiering storage class. Use an Amazon CloudFront distribution in front of the S3 bucket and AWS Lambda for processing the images.** 3. Place AWS Global Accelerator in front of the ALOE Migrate the static content to Amazon FSx for Windows File Server. Use an AWS Lambda function to reduce image size during the migration process. 4. Use an Amazon S3 bucket for static images and use the Intelligent Tiering storage class. Use an Amazon CloudFront distribution in front of the 53 bucket and the ALB.

Answer 70

1. **Store the expense claim data in Amazon S3. Use Amazon Athena and Amazon QuickSight to generate the reports using Amazon S3 as the data source.** 2. **Deploy the application front end to an Amazon S3 bucket served by Amazon CloudFront. Deploy the application backend using Amazon API Gateway with an AWS Lambda proxy integration.** 3. Deploy the application to Amazon EC2 On-Demand Instances behind an Application Load Balancer. Use Amazon EC2 Auto Scaling and schedule additional capacity ahead of peak usage periods. 4. Deploy the application to Amazon EC2 On-Demand Instances behind an Application Load Balancer. Use Amazon EC2 Auto Scaling and schedule additional capacity ahead of peak usage periods. 5. Store the expense claim data in Amazon EMR. Use Amazon QuickSight to generate the reports using Amazon EMR as the data source.

Answer 71

1. Use Amazon CloudFront with Amazon EC2 to host the web application. Use Amazon API Gateway to build the application APIs. Use AWS Lambda for custom authentication and authorization. Authorize data access by leveraging lAM roles. 2. **Use Amazon CloudFront with Amazon 53 to host the web application. Use AWS AppSync to build the application APIs. Use Amazon Cognito groups for RBAC. Authorize data access by leveraging Cognito groups in AWS AppSync resolvers.** 3. Use Amazon CloudFront with Amazon S3 to host the web application. Use Amazon API Gateway to build the application APIs with AWS Lambda for the custom authorizer. Authorize data access by performing user lookup in AWS Managed Microsoft AD. 4. Use Amazon CloudFront with Amazon FSx to host the web application. Use AWS AppSync to build the application APIs. Use lAM groups for RBAC. Authorize data access by leveraging lAM groups in AWS AppSync resolvers.

Answer 72

1. **Create user accounts in the Production and Development accounts.** 2. Create user accounts in the Management account and use cross-account access to access resn 3. Enable AWS CloudTrail and keep all Cloudirail trails and logs within each account 4. **Enable AWS CloudTrail and keep all CloudTrail trails and logs in the management account** 5. Create all resoscn in the Management account and grant access to the Production and Development accounts.

Answer 73

1. Use AWS Lambda to create daily EBS and RDS snapshots and copy them to the disaster recovery Region. Use Amazon Route 53 with an active-active failover configuration. Use Amazon EC2 in an Auto Scaling group configured the same as the primary Region. 2. Use EBS cross-region snapshot copy capability to create snapshots in the disaster recovery (DR) Region. Implement an Aurora Replica in the DR Region. Use Amazon Route 53 with an active-passive failover configuration. Use Amazon EC2 in an Auto Scaling group configured the same as the primary Region. 3. **Use AWS Lambda to create daily EBS snapshots and copy them to the disaster recovery Region. Implement an Aurora Replica in the DR Region. Use Amazon Route 53 with an active-passive failover configuration. Use Amazon EC2 in an Auto Scaling group with the capacity set to 0 in the disaster recovery Region.** 4. Use EBS and RDS cross-Region snapshot copy capability to create snapshots in the disaster recovery (DR) Region. Use Amazon Route 53 with an active-active failover configuration. Use Amazon EC2 in an Auto Scaling group with the capacity set to 0 in the disaster recovery Region.

Answer 74

1. Use AWS CloudTrail to capture all the APIs that change the DynamoDß tables. Send SNS notifications when anomalous behaviors are detected using CloudTrail event filtering. 2. **Use Amazon DynamoDB Streams to capture and send updates to AWS Lambda. Create a Lambda function to output records to Amazon Kinesis Data Streams. Analyze any anomalies with Amazon Kinesis Data Analytics. Send SNS notifications when anomalous behaviors are detected.** 3. Copy the DynamoDß tables into Apache Hive tables on Amazon EMR every hour and analyze them for anomalous behaviors. Send Amazon SNS notifications when anomalous behaviors are detected. 4. Use event patterns in Amazon CloudWatch Events to capture DynamoDB API call events with an AWS Lambda function as a target to analyze behavior. Send SNS notifications when anomalous behaviors are detected.

Answer 75

1. Use an Application Load Balancer (ALB) in front of an Auto Scaling group of Amazon EC2 instances in two AWS Regions and two Availability Zones in each Region. Configure an Amazon ElastiCache cluster in front of a global Amazon Aurora MySOL database. Move the shared files to Amazon EFS. Configure Amazon CloudFront with the ALB as the origin and select a price class that includes the US and Europe. Configure EFS cross- Region replication. 2. **Use an Application Load Balancer (ALB) in front of an Auto Scaling group of Amazon EC2 instances in one AWS Region and three Availability Zones. Configure an Amazon ElastiCache cluster in front of a Multi-AZ Amazon Aurora MySQL DB cluster. Move the shared files to Amazon EFS. Configure Amazon CloudFront with the ALB as the origin and select a price class that includes the US and Europe.** 3. Use an Application Load Balancer (ALB) in front of an Auto Scaling group of Amazon EC2 instances in two AWS Regions and three Availability Zones in each Region. Configure an Amazon ElastiCache cluster in front of a global Amazon Aurora MySQL database. Move the shared files to Amazon FSx with cross-Region synchronization. Configure Amazon CloudFront with the ALB as the origin and a price class that includes the US and Europe. 4. Use an Application Load Balancer (ALB) in front of an Auto Scaling group of Amazon EC2 instances in one AWS Region and three Availability Zones. Configure an Amazon DocumentDB table in front of a Multi-AZ Amazon Aurora MySOL DB cluster. Move the shared files to Amazon EFS. Configure Amazon CloudFront with the ALB as the origin and select a price class that includes all global locations.

Answer 76

1. Use AWS Lambda for the web application. Increase the read and write capacity of DynamoDB. 2. **Use Auto Scaling groups for the web application and use DynamoDB auto scaling.** 3. Use Auto Scaling groups for the web application and use Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB. 4. Use AWS Lambda for the web application. Configure DynamoDß to use global tables.

Answer 77

1. Check if object lock is enabled for the objects in the S3 bucket. 2. Check if the storage class for objects in the S3 Standard. 3. **Check if the S3 bucket is encrypted using AWS KMS.** 4. Check the object versioning status of the objects in the S3 bucket 5. **Check if the S3 block public access option is enabled on the S3 bucket**

Answer 78

1. **An outbound rule for ports 1024 through 65535 to destination 10.1.0.0/24.** 2. An inbound rule for port 443 from source 0.0.0.0/0. 3. **An inbound rule for port 443 from source 10.1.0.0/24.** 4. An outbound rule for port 443 to destination 10.1.0.0/24. 5. An outbound rule for port 443 to destination 0.0.0.0/0.

Answer 79

1. Create an Auto Scaling group for the EC2 instances and use an Application Load Balancer to direct incoming requests. Save the authenticated connection details on Amazon EBS volumes. 2. Create an Auto Scaling group for the EC2 instances and use an Application Load Balancer to direct incoming requests. Use AWS Secrets Manager to save the authenticated connection details. 3. **Create an Auto Scaling group for the EŒ instances and use an Application Load Balancer to direct incoming requests. Use Amazon DynamoDB to save the authenticated connection details.** 4. Use AWS Global Accelerator to forward requests to the EC2 instances. Use Amazon DynamoDB to save the authenticated connection details.

Answer 80

1. **Implement a blue/green deployment strategy.** 2. Implement CloudFormation Stack sets. 3. Implement CloudFormation change sets. 4. Implement the canary release strategy.

Answer 81

1. **The ECS task execution role was modified.** 2. The ECS container instance lAM role was modified. 3. The ECS tasks have insufficient memory assigned. 4. The ECS service is inaccessible.

Answer 82

1. The object has a policy assigned that blocks all public access. 2. **The bucket has the BlockPublicAcls selling set to TRUE.** 3. The object ACL does not allow write permissions for the lAM user account 4. The bucket has the BlockPublicPolicy selling set to TRUE.

Answer 83

1. **Use Application Auto Scaling to scale out write capacity on the DynamoDB table based on a schedule.** 2. Use Application Auto Scaling to set a step scaling policy to scale out write capacity on the DynamoDB table when load spikes reach a defined threshold. 3. Use Amazon CloudWatch Events to monitor the dead letter queue and invoke a Lambda function to automatically retry failed records. 4. Reduce the DynamoDB table auto scaling policy s target utilization to 50% to provide more resources for peak traffic periods.

Answer 84

1. Enable the private DNS option on the VPC attributes. 2. Update the route table for the subnets with a route to the interface endpoint. 3. **Configure the security group on the interface endpoint to allow connectivity to the AWS services.** 4. Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application.

Answer 85

1. Configure AWS CloudTrail to collect API activity from Amazon EC2 and Aurora and analyze with Amazon Athena. 2. Configure the Aurora MYSQL DB cluster to generate error logs by setting parameters in the parameter group. 3. **Configure the Aurora MySQL DB cluster to generate slow query logs by setting parameters in the parameter group.** 4. **Implement the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for PHP.** 5. **Install and configure an Amazon CloudWatch Logs agent on the EQ instances to send the Apache logs to CloudWatch Logs.** 6. Configure an Amazon EventBridge rule that triggers Lambda upon Aurora error events and saves logs to Amazon S3 for analysis with Amazon Athena.

Answer 86

1. **Create an Amazon Macie job that scans AWS CodeCommit repositories for credentials. If any credentials are found an AWS Lambda function should be triggered that disables the credentials.** 2. Run a cron job on an Amazon EC2 instance to check the CodeCommit repositories for unsecured credentials. If any unsecured credentials are found, generate new credentials and store them in AWS KNIS. 3. Use AWS Trusted Advisor to check for unsecured AWS credentials. If any unsecured credentials are found, use AWS Secrets Manager to rotate the credentials. 4. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If any credentials are found, disable them and notify the user.

Answer 87

1. **Configure an AWS Glue crawler to crawl the databases and create tables in the AWS Glue Data Catalog. Create an AWS Glue ETL job that loads data from the RDS databases to Amazon S3. Use Amazon Athena to run the queries.** 2. Create an AWS Glue ETL job that copies data from the RDS databases to a single Amazon Aurora MySQL database. Run SQL queries on the Aurora MYSQL database. 3. Create an Amazon Redshift cluster. Create an AWS Glue ETL job to copy data from the RDS databases to the Amazon Redshift cluster. Use Amazon Redshift to run the query. 4. Create an Amazon EMR cluster. Create an AWS Glue ETL job to copy data from the RDS databases to the Amazon Redshift cluster. Use Amazon QuickSight to mn the query.

Answer 88

1. **Use the Amazon CloudWatch Logs agent to stream log messages directly to CloudWatch Logs. Configure the batch\_count parameter to 1.** 2. Update the cron job to run every 5 minutes instead of every 30 minutes to reduce the possibility of log files being lost. 3. Use Amazon CloudWatch Events to trigger Amazon Systems Manager Session Manager to run a batch script that collects the log files. 4. Use Amazon CloudWatch Events to trigger an AWS Lambda function that collects the log files using an SSH connection.

Answer 89

1. Use AWS SMS to replicate the database to AWS and create an Amazon EC2 instance. Migrate the Java-based web application to an AWS Elastic Beanstalk environment behind an Application Load Balancer (ALB). 2. Use AWS DMS to migrate the database to Amazon RedShift. Migrate the Java-based web application to an AWS Elastic Beanstalk environment behind an Application Load Balancer (ALB). 3. Use AWS SMS to replicate the database to AWS and create an Amazon EC2 instance. Replicate the client VMs into AWS using AWS SMS. Place the EC2 instances behind an Application Load Balancer (ALB). 4. **Use AWS DMS to migrate the database to Amazon RDS. Replicate the client VMs into AWS using AWS SMS. Create Route 53 Alias records for each client VM.**

Answer 90

1. Re-architect the application. Load the data into Amazon S3. Use AWS Lambda to transform the data. Create an Amazon DynamoDB global table across two Regions to store the data and use Amazon Elasticsearch to query the data. 2. **Re-architect the application. Load the data into Amazon S3. Use AWS Glue to transform the data. Store the table schema in an AWS Glue Data Catalog. Use Amazon Athena to query the data.** 3. Replatform the application. Use Amazon API Gateway for data ingestion. Use AWS Lambda to transform the JSON data. Create an Amazon Aurora PostgreSQL DB cluster with an Aurora Replica in another Availability Zone. Use Amazon QuickSight to generate reports and visualize data. 4. Re-architect the application. Load the data into Amazon S3. Use Amazon Kinesis Data Analytics to transform the data. Create an external schema in an AWS Glue Data Catalog. Use Amazon Redshift Spectrum to query the data.

Answer 91

1. **The throttle limit on the REST API is configured too low. During busy periods some requests are being throttled and are not reaching the Lambda function.** 2. The Lambda is configured with too little memory causing the function to fail at peak load. 3. The Lambda function is set to use synchronous invocation and the REST API is calling the function using asynchronous invocation. 4. The API is using the non-proxy integration with Lambda when it should be using proxy integration.

Answer 92

1. Use Amazon ECS Reserved instances and configure termination protection. 2. Use Amazon ECS with Application Auto Scaling and suspend dynamic scaling. 3. **Use Amazon ECS Spot instances and configure Spot Instance Draining.** 4. Use Amazon ECS Cluster Auto Scaling (CAS) and configure a warm-up time.

Answer 93

1. Set the authorization to AWS\_IAM for the API Gateway method. Create a permissions policy that grants lambda:lnvokeFunction permission on the REST API resource and attach it to a group containing the lAM user accounts. 2. Create a client certificate for API Gateway. Distribute the certificate to the AWS users that need to access the endpoint. Enable the API caller to pass the client certificate when accessing the endpoint. 3. **Set the authorization to AWS\_IAM for the API Gateway method. Create a permissions policy that grants execute-api:lnvoke permission on the REST API resource and attach it to a group containing the lAM user accounts.** 4. Create an AWS Lambda function as a custom authorizer and ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the lAM system.

Answer 94

1. Use Amazon EC2 Auto Scaling with an AMI that includes the latest OS patches. Mount a shared Amazon EBS volume with the static data to the EC2 instances at launch time. 2. Use Amazon EC2 Auto Scaling with a standard AMI. Use a user data script to download the static data from an Amazon 53 bucket Update the OS patches with AWS Systems Manager. 3. Use Amazon EC2 Auto Scaling with an AMI that includes the static data. Update the OS patches with AWS Systems Manager. 4. **Use Amazon EC2 Auto Scaling with an AMI that includes the latest OS patches. Mount an Amazon EFS file system with the static data to the EQ instances at launch time.**

Answer 95

1. Use Amazon Macie with to identify the IP addresses in Amazon 53 requests. Use AWS Lambda with Macle to automatically remediate 53 bucket policy changes. Use Macle automatic alerting capabilities for alerts. 2. Use Amazon CloudWatch Logs with the Amazon Athena connector to identify the IP addresses in Amazon 53 requests. Use CloudWatch Events mies with AWS Lambda to automatically remediate 53 bucket policy changes. Configure alerting with Amazon SNS. 3. **Identify the IP addresses in Amazon 53 requests with Amazon S3 access logs and Amazon Athena. Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS.** 4. Create an AWS CloudTrail trail and log management events. Use CloudWatch Events rules with AWS Lambda to automatically remediate 53 bucket policy changes. Configure alerting with Amazon SNS.

Answer 96

1. Create an Amazon EventBridge rule that triggers an AWS Lambda function to use AWS Trusted Advisor to retrieve the most current utilization and service limit data. If the current utilization is above 80% use AWS Budgets to send an alert to the cloud team. 2. **Create an Amazon EventBridge rule that triggers an AWS Lambda function to use AWS Trusted Advisor to retrieve the most current utilization and service limit data. If the current utilization is above 80% publish a message to an Amazon SNS topic to alert the cloud team.** 3. Create a scheduled AWS Config rule to trigger an AWS Lambda function to call the GetServiceQuota API. If any service utilization is above 80% publish a message to an Amazon SNS topic to alert the cloud team. 4. Create a scheduled AWS Config rule to trigger an AWS Lambda function to call the ListServiceQuotas API. If any service utilization is above 80% publish a message to an Amazon SNS topic to alert the cloud team.

Answer 97

1. **Create an Auto Scaling group for the front end with a combination of Reserved instances and Spot Instances to reduce costs. Convert the tables in the Oracle database into Amazon DynamoDB tables.** 2. Create an Auto Scaling group for the front end with a combination of On-Demand and Spot Instances to reduce costs. Migrate the Oracle database into a single Amazon RDS reserved DB instance. 3. Use Spot Instances for the front end to reduce costs. Convert the tables in the Oracle database into Amazon DynamoDB tables. 4. Create an Auto Scaling group for the front end with a combination of Reserved instances and Spot Instances to reduce costs. Migrate the Oracle database into an Amazon RDS multi-AZ deployment

Answer 98

1. Use S3 Transfer Acceleration for the backup jobs. Create a lifecycle policy for the incomplete multipart uploads on the S3 bucket to prevent new failed uploads from accumulating. 2. Use S3 Transfer Acceleration for the backup jobs. Use the Multi-Object Delete operation to remove the old uploads on a daily basis. 3. **Use multipart upload for the backup jobs. Create a lifecycle policy for the incomplete multipart uploads on the S3 bucket to prevent new failed uploads from accumulating.** 4. Use multipart upload for the backup jobs. Create a lifecycle policy that archives data to Amazon S3 Glacier on a daily basis.

Answer 99

1. **Attach an endpoint policy to the gateway endpoint that restricts access to the specific S3 bucket. Assign an lAM role to the EC2 instances and attach a policy to the S3 bucket that grants access only to this role.** 2. Attach a bucket policy to the S3 bucket that grants access to the EC2 instances only using the aws:Sourcelp condition. Update the VPC route table so only the application EC2 instances can access the VPC endpoint. 3. Attach an endpoint policy to the gateway endpoint that restricts access to 53 in the current Region. Attach a bucket policy to the 53 bucket that grants access to ec2.amazonaws.com service only. 4. Attach an endpoint policy to the gateway endpoint that restricts access to the specific S3 bucket Attach a bucket policy to the S3 bucket that grants access only to the VPC endpoint.

Answer 100

1. Configure Lambda to use the stored database credentials in AWS KMS and enabled automatic key rotation. 2. Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials. 3. **Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.** 4. Store the Amazon RDS database credentials in AWS KMS using imported key material. 5. **Create encrypted database credentials in AWS Secrets Manager for the Amazon RDS database.**

Answer 101

1. **Use Amazon EC2 instances that support Elastic Fabric Adapter (EFA).** 2. **Deploy Amazon FC2 instances in a placement group.** 3. Use Amazon EC2 instances that support burstable performance. 4. Deploy Amazon EC2 instances in an Auto Scaling group. 5. Deploy instances across multiple Availability Zones.

Answer 102

1. **Build an API with API Gateway and AWS Lambda, use Amazon S3 for hosting static web resources and create an Amazon CloudFront distribution with the S3 bucket as the origin. Use Amazon Cognito to provide user management authentication functions.** 2. Build an API using Docker containers running on AWS Fargate in multiple Regions behind Application Load Balancers. Use an Amazon Route 53 latency-based routing policy. Use Amazon Cognito to provide user management authentication functions. 3. Build an API using Docker containers running on Amazon ECS behind an Amazon CloudFront distribution. Use AWS Secrets Manager to provide user management authentication functions. 4. Build an API with API Gateway and AWS Lambda, use Amazon S3 for hosting static web resources and create an AWS WAF Web ACL and attach it for DDoS attack mitigation. Use Amazon Cognito to provide user management authentication functions.

Answer 103

1. Change to a failover routing policy in Amazon Route 53 and configure active-active failover. Write a custom health check that verifies successful access to the Application Load Balancers in each Region. 2. **Write a custom health check that verifies successful access to the database endpoints in each Region. Add the health check within the latency-based routing policy in Amazon Route 53.** 3. **Set the value of Evaluate Target Health to Yes on the latency alias resources for both us-east-2 and us-west-1.** 4. Write a custom health check that queries the AWS Service Dashboard API to verify the Amazon ROS service is healthy in each Region. 5. Set the value of Evaluate Target Health to Yes on the failover alias resources for both us-east-2 and us-west-1.

Answer 104

1. Configure the S3 bucket policy to permit access to the Amazon EMR cluster only. 2. **Configure the S3 bucket policy to permit access using an aws:sourceVpce condition to match the S3 endpoint ID.** 3. **Configure the EMR cluster to use an AWS CloudHSM appliance for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3.** 4. Configure the EMR cluster to use an AWS KMS managed CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and an interface VPC endpoint for AWS KMS. 5. Configure the EMR cluster to use an AWS KMS CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and a NAT gateway to access AWS KMS.

Answer 105

1. **Create an AWS Direct Connect (DX) gateway and attach the (DX) gateway to a transit gateway. Enable route propagation with BGP.** 2. Create lPSec VPN connections between the VPCs in a fully meshed topology. Configure the route tables in the VPCs to route traffic across the IPSec VPN connections. 3. Create VPC peering connections between the VPCs in a fully meshed topology. Configure the route tables in the VPCs to route traffic across the peering connections. 4. **Create an AWS transit gateway and add attachments for all of the VPCs. Configure the route tables in the VPCs to send traffic to the transit gateway.** 5. Create an AWS Direct Connect (DX) gateway and associate the DX gateway with a VGW in each VPC. Enable route propagation with BGP.

Answer 106

1. **Use AWS Organizations to create a management account and create each team’s account from the management account. Create a security account for cross-account access. Apply service control policies on each account and grant the security team cross-account access to all accounts. The Security team will create lAM policies to provide least privilege access.** 2. Use AWS Organizations to create a management account. Create groups in Active Directory and assign them to roles in AWS to grant federated access. Apply tags to the resources for each team and separate bills based on tags. Control access to resources through lAM granting the minimum required privileges. 3. Create a separate AWS account for each team. Assign the security account as the management account and enable consolidated billing for all other accounts. Create a cross-account role for security to manage accounts. 4. Create a new AWS account and use AWS CloudFormation to provide teams with the resources they require. Use cost allocation tags and a third-party billing solution to provide the Finance team with a breakdown of costs based on tags. Use lAM policies to control access to resources and grant the Security team full access.

Answer 107

1. **Refactor the application onto AWS Lambda functions. Use AWS Step Functions to orchestrate the application.** 2. Refactor the application onto Docker containers running on Amazon ECS. Use Amazon SQS to decouple the application components. 3. Refactor the application onto AWS Lambda functions. Use Amazon EventBridge to automate the application. 4. Refactor the application onto Docker containers running on AWS Fargate. Use AWS Step Functions to orchestrate the application.

Answer 108

1. Copy the data to an 80 TB AWS Snowball device. 2. **Upload the data to the S3 bucket using S3 Transfer Acceleration.** 3. Use AWS DataSync to migrate the data to S3. 4. Use the AWS Direct Connect link to upload the data to S3.

Answer 109

1. Upload the AWS CloudFormation template to Amazon S3. Give users in the testing team permission to use CloudFormation and S3 APIs with conditions that restrict the permissions to the template and the resources it creates. Train users to launch the template from the Cloud Formation console. 2. **Create an AWS Service Catalog product from the environment template and add a launch constraint to the product with the existing role. Give users in the testing team permission to use AWS Service Catalog APIs only. Train users to launch the template from the AWS Service Catalog console.** 3. Upload the AWS CloudFormation template to Amazon S3. Give users in the testing team permission to assume the Developers role and add a policy that restricts the permissions to the template and the resources it creates. Train users to launch the template from the Cloud Formation console. 4. Create an AWS Service Catalog product from the environment template and add a stack set constraint to the product with the existing role. Give users in the testing team permission to use AWS Service Catalog APIs only. Train users to launch the template from the AWS Service Catalog console.

Answer 110

1. **Create two AWS Direct Connect connections from the New York data center to an AWS Region. Configure the company WAN to send traffic over the DX connection. Use Direct Connect or Gateway to access data in other AWS Regions.** 2. Create two AWS Direct Connect connections from the New York data center to an AWS Region. Configure the company WAN to send traffic over the DX connection. Use an AWS transit VPC solution to access data in other AWS Regions. 3. Create two AWS Direct Connect connections from the New York data center to an AWS Region. Configure the company WAN to send traffic over the DX connection. Use inter-region VPC peering to access the data in other AWS Regions. 4. Create an AWS Direct Connect connection from the New York data center to all AWS Regions the company uses. Configure the company WAN to send traffic via the New York data center and on to the respective DX connection to access AWS.

Answer 111

1. Create a DynamoDB global table to replicate data between us-west-1 and eu-central-1. Enable versioning on the S3 bucket. Implement strict ACLs on the 53 bucket. 2. **Create a DynamoDB global table to replicate data between us west-i and eu-central-1. Enable continuous backup on the DynamoDB table in us-west-i . Set up S3 cross-region replication from us-west-1 to eu-central-1.** 3. Create a DynamoDB global table to replicate data between us-west-i and eu-central-1. Enable continuous backup on the DynamoDB table in us-west-1 . Enable versioning on the 53 bucket. 4. Create an AWS Lambda function triggered by Amazon CloudWatch Events to make regular backups of the DynamoDB table. Set up S3 cross-region replication from us-west-1 to eu-central-1. Set up MFA delete on the S3 bucket in us-west-1.

Answer 112

1. Deploy the required lAM users, groups, roles, and policies in every AWS account. Create an AWS Organization and federate the on-premises identity management provider and the AWS accounts. 2. Create a SAML-based identity management provider in a central account and map lAM roles that provide the necessary permissions for users. Create a centralized AWS Lambda function that replicates the identities in the on premises IdP groups to the AWS accounts. 3. Create an AWS Organization with a management account that defines the SCPs for member accounts. Create a SAM L-based identity management provider in each account and map users in the on-premises ldP groups to lAM roles. 4. **Create a SAML-based identity management provider in a central account and map lAM roles that provide the necessary permissions for users. Map users in the on-premises ldP groups to lAM roles. Use cross-account access to the other AWS accounts.**

Answer 113

1. Migrate the applications to separate AWS Elastic Beanstalk environments. Enable Auto Scaling to ensure there are sufficient resources during peak processing periods. Monitor each AWS Elastic Beanstalk deployment using CloudWatch alarms. 2. Migrate the applications to Amazon EC2 instances in Auto Scaling groups. Create separate target groups for each application behind an Application Load Balancer and use host-based routing. Configure Auto Scaling to scale based on memory utilization and set the threshold to 75%. 3. **Migrate the applications to Docker containers on Amazon ECS. Create a separate ECS task and service for each application. Enable service Auto Scaling based on memory utilization and set the threshold to 75%. Monitor services and hosts by using Amazon Cloud Watch.** 4. Migrate the applications to run on AWS Lambda with a separate function for each application. Use AWS CloudTrail logs and Amazon Cloud Watch alarms to verify completion of important processes.

Answer 114

1. Create a separate pipeline in CodePipeline and trigger execution using CodeCommit tags. Use Jenkins for running unit tests. Create a stage in the pipeline with S3 as the target for staging the artifacts with an S3 bucket in a separate testing account. 2. **Create a separate pipeline in CodePipeline and trigger execution using CodeCommit branches. Use AWS CodeBuild for running unit tests and staging the artifacts in an S3 bucket in a separate testing account.** 3. Create a separate CodeCommit repository for feature development and use it to trigger the pipeline. Use AWS Lambda for running unit tests. Use AWS CodeBuild to stage the artifacts within different S3 buckets in the same production account. 4. Create a separate pipeline in CodePipeline and trigger execution using CodeCommit branches. Use AWS Lambda for running unit tests. Use AWS CodeDeploy to stage the artifacts within an S3 bucket in a separate testing account.

Answer 115

1. Create an AWS Managed VPN connection that uses the public internet and attach it to the same virtual private gateway as the DX connection. 2. Use multiple IPSec VPN connections to separate virtual private gateways and configure BGP to prioritize the DX connection. 3. **Install a second DX connection from a different network carrier and attach it to the same virtual private gateway as the first DX connection.** 4. Add an additional physical connection for the existing DX connection using the same network carrier and join the connections to a link aggregation group (LAG) on the same private virtual interface.

Answer 116

1. Create a pipeline in CodePipeline with a deploy stage that uses AWS DpsWorks and in-place deployments. Monitor the application and if there are any issues pushing another code update. 2. **Create a pipeline in CodePipeline with a deploy stage that uses a blue/green deployment strategy. Monitor the application and if there are any issues trigger a manual rollback using CodeDeploy.** 3. Create a pipeline in CodePipeline with a deploy stage that uses AWS CloudFormation to create test and production stacks. Monitor the application and if there are any issues push another code update. 4. Create a pipeline in CodePipeline with a deploy stage that uses an in-place deployment strategy. Monitor the application and if there are any issues push another code update.

Answer 117

1. An outbound rule in WebAppSG allows ports 1024-65535 to destination ALB-SG. 2. An inbound rule in ALB-SG allowing port 80 from WebAppSG. 3. An outbound rule in ALB-SG allowing ports 1024-65535 to destination 0.0.0.0/0. 4. **An inbound rule in ALB-SG allowing port 80 from source 0.0.0.0/0.** 5. **An inbound rule in WebAppSG allowing port 80 from source ALB-SG.**

Answer 118

1. Launch the Amazon EC2 instances in a public subnet with an internet gateway. Associate an Elastic IP address to the internet gateway that can be whitelisted on the external API service. 2. Launch the Amazon EC2 instances in a private subnet. Configure HTTP\_PROXY application parameters to send outbound connections to an EC2 proxy server in a public subnet. Associate an Elastic IP address to the EC2 proxy host that can be whitelisted on the external API service. 3. **Launch the Amazon EC? instances in a private subnet with an outbound route to a NAT gateway in a public subnet. Associate an Elastic IP address to the NAT gateway that can be whitelisted or on the external API service.** 4. Launch the Amazon EC2 instances in a public subnet. Set the HTTPS\_PROXY and NO\_PROXY application parameters to send non-VPC outbound HTTPS connections to an EC2 proxy server deployed in a public subnet. Associate an Elastic IP address to the EC2 proxy host that can be whitelisted on the external API service.

Answer 119

1. Deploy a multi-Region solution ensuring the minimum distance requirements are met. The DR environment should be configured using the pilot light strategy with database replication to a standby database with a minimum of capacity. Use AWS CloudFormation to launch web servers, application servers and load balancers in case of a disaster. Use Amazon Route 53 to switch traffic to the DR Region and vertically scale the Amazon RDS DB instance. 2. **Deploy a scaled-down version of the production environment in a separate AWS Region ensuring the minimum distance requirements are met The DR environment should include one instance for the web tier and one instance for the application tier. Create another database instance and configure database mirroring for MySOL Configure Auto Scaling for the web and app tiers so they can scale based on load. Use Amazon Route 53 to switch traffic to the DR Region.** 3. Deploy a multi-Region solution ensuring the minimum distance requirements are met. Take regular snapshots of the web and application EC2 instances and replicate them to the DR Region. Launch an Amazon cross-Region read replica in the DR Region that can be promoted. Use AWS Cloud Formation to launch the web and application tiers in the event of a disaster. Fail over the RDS DB to the standby instance and use Amazon Route 53 to switch traffic to the DR Region. 4. Deploy a multi-Region solution ensuring the minimum distance requirements are met. The DR environment should include fully-functional web, application, and database tiers in both regions with equivalent capacity. Activate the primary database in one region only and the standby database in the other region. Use Amazon Route 53 to automatically switch traffic from one region to another using health check routing policies.

Answer 120

1. Create an lAM account for the new employee in a dedicated account. Use cross-account access to manage resources. Limit the permissions on the cross-account access role to only allow management of Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add permissions to the cross-account access lAM role. 2. **Create an AM account for the new employee and add the account to the security team lAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon Cloud Watch. When the employee or takes on new management responsibilities, add the additional services to the permissions boundary lAM policy.** 3. Create an lAM account for the new employee. Create a new lAM group for the employee and add a permissions policy that grants access to manage Amazon DynamoDß, Amazon RDS, and Amazon Cloud Watch. When the employee takes on new management responsibilities, add the additional services to the lAM policy. 4. Create an lAM account for the new employee and add the account to the security team lAM group. Use a Service Control Policy (SCP) to limit the maximum available permissions to Amazon DynamoDB, Amazon RDS, and Amazon Cloud Watch. When the employee takes on new management responsibilities, remove the SCP.

Answer 121

1. Create an AWS Organization that includes the production and testing accounts. Create lAM user accounts in the production and testing accounts and implement service control policies (SCPs) to centrally control permissions. 2. **Create a separate AWS account for identities where lAM user accounts can be created. Create roles with appropriate permissions in the production and testing accounts. Add the identity account to the trust policies for the roles.** 3. Create a separate AWS account for identities where lAM user accounts can be created. Create roles with appropriate permissions in the identity account and delegate access to the production and testing accounts. 4. Create all user accounts in the production account. Create roles for access in the production account and testing accounts. Grant cross-account access from the production account to the testing account.

Answer 122

1. Create an lAM policy in each account that denies access to the services. Associate the policy with an lAM group and add all lAM users to the group. 2. Create an lAM role in each member account and attach a policy to the role that denies access to the specific set of services. Create user accounts in the management account and instruct users to assume the lAM role in each member account to gain access to services. 3. Create a service control policy (SCP) that denies access to the specific set of services and apply the policy to the root of the organization. 4. **Add the member accounts to a single organizational unit (OU). Create a service control policy (SCP) that denies access to the specific set of services and attach it to the OU.**

Answer 123

1. Use AWS SMS to import the on-premises database into AWS and then use AWS DMS to synchronize the database with an Amazon Aurora MySQL DB instance. 2. **Launch an RDS Aurora MySQL DB instance and load the database data from the Snowball export. Configure replication from the on-premises database to the RDS Aurora instance using the VPN.** 3. **Export the data from the database using daiabase-native tools and import the data to AWS using AWS Snowball.** 4. Launch an AWS DMS instance and configure it with the on-premises and Aurora DB instance information. Replicate using AWS DMS over the VPN connection. 5. **When the RDS Aurora MySQL database is fully synchronized, change the DNS entry to point to the Aurora DB instance and stop replication.** 6. Launch an Amazon RDS Aurora MySQL DB instance and use AWS DMS to miarate the on-premises database.

Answer 124

1. Use an AWS Lambda function to replicate Amazon RDS snapshots to us-west-1. Use an Amazon EventBridge to trigger an AWS Lambda function that creates a new RDS database from the replicated snapshot. 2. **Create a cross-Region read replica in us-west-1. Use Amazon EventBridge to trigger an AWS Lambda function that promotes the read replica to primary and updates the DNS endpoint or address for the database.** 3. Create a cron job that runs the mysqldump command to export the MySQL database to a file stored on Amazon S3. Use Amazon EventBridge to trigger an AWS Lambda function that imports the database export to a standby database in us-west-1. 4. Deploy an Amazon RDS Multi Master database across both AWS Regions. Configure the EC2 instances in us-west-i to write to the local RDS writer endpoint.

Answer 125

1. Store each object in Amazon S3 with a key that uses a random string. 2. **Store the data in Amazon S3 using Apache Parquet or Apache ORC formats.** 3. Store the data in Amazon S3 compressed files less than 10 MB in size. 4. **Store the data using Apache Hive partitioning in Amazon S3 using a key that includes a date.** 5. Store the data in separate buckets for each date range.

Answer 126

1. Configure the application to generate a signed URL for authenticated users that provides time-limited access to the files. 2. **Configure the application to send Set-Cookie headers to the viewer and control access to the files using signed cookies.** 3. Use an Origin Access Identity (OAI) to control access to the S3 bucket to users of the CloudFront distribution only. 4. Configure a behavior in CloudFront that forwards requests for the files to the S3 bucket based on a path pattern.