Amazon Web Services SAP-C02 AWS Certified Solutions Architect - Professional Exam Practice Test

D is correct because thehealth check grace perioddefines how long Auto Scaling waits after launching an instance before checking its health status. With the larger content added to the S3 bucket, the instance initialization (via user data) is taking longer. Increasing the grace period allows the instance time to complete startup tasks before it’s marked as unhealthy.

Option A would not necessarily reduce startup time — the issue is likely network latency or the size of the content.

Option B only affects the timeout for health check responses, not the delay before they begin.

Option C is not applicable unless the health check path itself is invalid (which isn't mentioned).

Create an S3 Bucket:

Navigate to Amazon S3 in the AWS Management Console and create a new S3 bucket to store the game files.Enable static website hosting on this bucket.

Upload Game Files:

Upload the 5 GB game release package to the S3 bucket. Ensure that the files are publicly accessible if required for download.

Configure Amazon Route 53:

Set up a new domain or subdomain in Amazon Route 53 and point it to the S3 bucket. This allows users to access the game files using a custom URL.

Use Amazon CloudFront:

Create a CloudFront distribution with the S3 bucket as the origin. CloudFront is a content delivery network (CDN) that caches content at edge locations worldwide, improving download performance and reducing latency for users regardless of their location.

Publish the Download URL:

Use the CloudFront distribution URL as the download link for users to access the game files. CloudFront will handle the efficient distribution and caching of the content.

This solution leverages the scalability of Amazon S3 and the performance benefits of CloudFront to provide an optimal download experience for users globally while minimizing costs.

References

Amazon CloudFront Documentation

Amazon S3 Static Website Hosting

Comprehensive and Detailed Explanation From Exact Extract:

B is correct because the requirement is to allocate shared EC2 infrastructure costs (ECS on EC2, shared cluster) down to the business groups with the least operational effort. With shared compute, the EC2 line-item charges are not naturally per “task,” so you need a cost allocation feature that can split shared costs using workload metadata. Split cost allocation data combined with the AWS Cost and Usage Report (CUR) and resource tags provides the standard AWS mechanism to distribute (“split”) shared resource costs across consumers for chargeback/showback reporting. This avoids operationally heavy changes (like redesigning clusters) and supports automated reporting.

Why the other options are incorrect:

A: Tagging the Auto Scaling group can only attribute costs at the ASG level, not split costs between multiple business groups sharing the same cluster capacity. It does not solve per-business-group allocation when capacity is shared.

C: Separate clusters per group would work but is higher operational overhead (more clusters to manage, scaling policies, capacity planning, governance), which violates the “least operational overhead” requirement.

D: Cost Categories are useful for mapping and organizing costs, but by themselves they do not solve the underlying need to split shared EC2 costs among multiple consumers unless you already have an accurate split basis. Option B directly targets split allocation of shared costs with tagging and CUR.

Hosting the .NET Core components on Amazon ECS with the Amazon EC2 launch type will meet the requirements of having complex orchestration and full control over networking and host configuration. Amazon ECS is a fully managed container orchestration service that supports both AWS Fargate and Amazon EC2 as launch types. The Amazon EC2 launch type allows users to choose their own EC2 instances, configure their own networking settings, and access their own host operating systems. Hosting the database on Amazon Aurora MySQL Serverless v2 will meet the requirements of having a strongly relational database model and using the same database engine as SQL Server. MySQL is a compatible relational database engine with SQL Server, and it can support most of the legacy application’s database model. Amazon Aurora MySQL Serverless v2 is a serverless version of Amazon Aurora MySQL that can scale up and down automatically based on demand. Using Amazon SQS for asynchronous messaging will meet the requirements of providing a compatible replacement for MSMQ, which is a queue-based messaging system3. Amazon SQS is a fully managed message queuing service that enables decoupled and scalable microservices, distributed systems, and serverless applications.

This option allows the solutions architect to use a private hosted zone to host DNS records that are only accessible within the VPC1. By associating the private hosted zone with the VPC, the solutions architect can ensure that DNS queries from the VPC are routed to the private hosted zone2. By activating the enableDnsSupport attribute and the enableDnsHostnames attribute for the VPC, the solutions architect can enable DNS resolution and hostname assignment for instances in the VPC3. By creating a new VPC DHCP options set, and configuring domain-name-servers=AmazonProvidedDNS, the solutions architect can use Amazon-provided DNS servers to resolve DNS queries from instances in the VPC4. By associating the new DHCP options set with the VPC, the solutions architect can apply the DNS settings to all instances in the VPC5.

What is Amazon Route 53 Resolver?

Associating a private hosted zone with your VPC

Using DNS with your VPC

DHCP options sets

Modifying your DHCP options

https://aws.amazon.com/blogs/compute/operating-lambda-performance-optimization-part-1/

This solution will allow the detection logic to be run as soon as the image is uploaded to the S3 bucket, before it is served to users via the CloudFront distribution. This way, the detection logic can quickly identify any corrupted images and prevent them from being served to users, minimizing latency between ingestion and serving.

Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.htmlhttps://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#:~:text=aws%20ssm%20start%2Dsession%20%2D%2Dtarget%20instance%2Did

D is correct becauseRDS for PostgreSQLsupportsforeign data wrappers (FDW)that allow querying remote Oracle databases. WithAWS Schema Conversion Tool (SCT)andDatabase Migration Service (DMS), schema and data can be migrated effectively.AWS Direct Connectensures secure, private connectivity to on-prem databases. Cron jobs can be run via EventBridge or external orchestration.

A doesn't support relational/spatial querying.

B doesn’t support FDW or spatial types.

C introduces unnecessary complexity.

Amazon Kinesis Data Streams is a service that enables real-time data ingestion and processing. Amazon DynamoDB is a NoSQL database that does not require fixed schemas for storage. By using Kinesis Data Streams and DynamoDB, the company can send the JSON data to a database that can handle schemaless data in real time. References:

https://docs.aws.amazon.com/streams/latest/dev/introduction.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

RDS Proxyoptimizes and pools DB connections. By combining this withPrivateLink + NLB, other accounts can securely access the proxy endpoint without going over the internet or setting up peering for every new account.

RDS Proxy Docs

The correct answer is D. Deploy the application on Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate and enable auto scaling behind an Application Load Balancer. Create additional read replicas for the DB instance. Create an Amazon Managed Streaming for Apache Kafka cluster and configure the application services to use the cluster. Store static content in Amazon S3 behind an Amazon CloudFront distribution.

Option D meets the requirements of the scenario because it allows you to reduce operational overhead and support the product release by using the following AWS services and features:

Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed service that allows you to run Kubernetes applications on AWS without needing to install, operate, or maintain your own Kubernetes control plane. You can use Amazon EKS to deploy your containerized application services on a Kubernetes cluster that is compatible with your existing tools and processes.

AWS Fargate is a serverless compute engine that eliminates the need to provision and manage servers for your containers. You can use AWS Fargate as the launch type for your Amazon EKS pods, which are the smallest deployable units of computing in Kubernetes. You can also enable auto scaling for your pods, which allows you to automatically adjust the number of pods based on the demand or custom metrics.

An Application Load Balancer (ALB) is a load balancer that distributes traffic across multiple targets in multiple Availability Zones using HTTP or HTTPS protocols. You can use an ALB to balance the load across your Amazon EKS pods and provide high availability and fault tolerance for your application.

Amazon RDS for PostgreSQL is a fully managed relational database service that supports the PostgreSQL open source database engine. You can create additional read replicas for your DB instance, which are copies of your primary DB instance that can handle read-only queries and improve performance. You can also useread replicas to scale out beyond the capacity of a single DB instance for read-heavy workloads.

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. Apache Kafka is an open source platform for building real-time data pipelines and streaming applications. You can use Amazon MSK to create and manage a Kafka cluster that is highly available, secure, and compatible with your existing Kafka applications. You can also configure your application services to use the Amazon MSK cluster as a source or destination of streaming data.

Amazon S3 is an object storage service that offers high durability, availability, and scalability. You can store static content such as images, videos, or documents in Amazon S3 buckets, which are containers for objects. You can also serve static content directly from Amazon S3 using public URLs or presigned URLs.

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. You can use Amazon CloudFront to create a distribution that caches static content from your Amazon S3 bucket at edge locations closer to your users. This can improve the performance and user experience of your application.

Option A is incorrect because creating an EC2 Auto Scaling group behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances for your containers. Creating additional read replicas for the DB instance would not provide high availability or fault tolerance in case of a failure of the primary DB instance, unlike deploying the DB instance in Multi-AZ mode. Creating Amazon Kinesis data streams would not be compatible with your existing Apache Kafka applications, unlike using Amazon MSK.

Option B is incorrect because creating an EC2 Auto Scaling group behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances for your containers. Creating Amazon Kinesis data streams would not be compatible with your existing Apache Kafka applications, unlike using Amazon MSK. Storing and serving static content directly from Amazon S3 would not provide optimal performance and user experience, unlike using Amazon CloudFront.

Option C is incorrect because deploying the application on a Kubernetes cluster created on the EC2 instances behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances and Kubernetes control plane for your containers. Using Amazon API Gateway to interact with the application would add an unnecessary layer of complexity and cost to your architecture, as you would need to create and maintain an API gateway that proxies requests to your ALB.

Comprehensive and Detailed in Depth Explanation:

C is correct because Amazon EFS offers a scalable, elastic file system that can be mounted on both on-premises servers (via AWS Direct Connect or VPN) and EC2 instances. This allows real-time access to shared content with no migration downtime.

D is correct because AWS Snowball Edge Storage Optimized devices are designed for transferring petabyte-scale data (up to 80 TB per device). It’s a best practice for moving 200 TB of archival data when speed and bandwidth are constraints.

To connect VPC resources over a transit Virtual Interface (VIF) using a Direct Connect connection, the company should advertise the on-premises network prefixes over the transit VIF and advertise the VPC prefixes from the Direct Connect gateway to the on-premises network over the same VIF. This configuration ensures seamless connectivity between the on-premises infrastructure and the AWS VPCs through the transit gateway, facilitating efficient and secure communication across the network.

AWS Documentation on AWS Direct Connect and transit gateways provides detailed instructions on configuring transit VIFs and routing for Direct Connect connections. This setup is recommended in AWS best practices for establishing dedicated network connections between on-premises environments and AWS to achieve low-latency, high-throughput, and secure connectivity.

https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/

This option allows the company to use DAX to improve the performance and reduce the latency of the DynamoDB queries by caching the results in memory1. By updating the application to use DAX, the company can reduce the load on the DynamoDB tables and avoid throttling errors1. By creating an Auto Scaling group for the EC2 instances, the company can adjust the number of instances based on the demand and ensure high availability2. By creating an ALB, the company can distribute the incoming traffic across multiple EC2 instances and improve fault tolerance3. By updating the Route 53 record to use a simple routing policy that targets the ALB’s DNS alias, the company can route users to the ALB endpoint and leverage its health checks and load balancing features4. By configuring scheduled scaling for the EC2 instances before the content updates, the company can anticipate and handle traffic spikes during peak periods5.

What is Amazon DynamoDB Accelerator (DAX)?

What is Amazon EC2 Auto Scaling?

What is an Application Load Balancer?

Choosing a routing policy

Scheduled scaling for Amazon EC2 Auto Scaling

According to the AWS documentation1, AWS App2Container (A2C) is a command line tool for migrating and modernizing Java and .NET web applications into container format. AWS A2C analyzes and builds an inventory of applications running in bare metal, virtual machines, Amazon Elastic Compute Cloud (EC2) instances, or in the cloud. You can use AWS A2C to generate container images for your applications and deploy them on Amazon ECS or Amazon EKS.

Option A meets the requirements of the scenario because it allows you to migrate your existing Java application to AWS and minimize the administrative overhead to maintain the servers. You can use AWS A2C to analyze your application dependencies, extract application artifacts, and generate a Dockerfile. You can then store your container images in Amazon ECR, which is a fully managed container registry service. You can use AWS Fargate as the launch type for your Amazon ECS cluster, which is a serverless compute engine that eliminates the need to provision and manage servers for your containers. You can grant the ECS task execution role permission to access the ECR image repository, which allows your tasks to pull images from ECR. You can configure Amazon ECS to use an ALB, whichis a load balancer that distributes traffic across multiple targets in multiple Availability Zones using HTTP or HTTPS protocols. You can use the ALB to interact with your application.

A is correct because AWS recommends using oneconnection alias per Region, associated witheach directory. Then, configure a Route 53 failover policy so that if the primary Region becomes unhealthy, users are directed to the failover Region automatically. “Evaluate Target Health” ensures automatic detection and failover.

The awsvpc network mode provides each task with its own elastic network interface (ENI) and a primary private IP address1. By using this network mode, the solutions architect can isolate the tasks from each other and apply security groups to the tasks directly2. This way, the solutions architect can control the inbound and outbound traffic at the task level and enforce the least privilege principle3. IAM roles for tasks allow the solutions architect to assign permissions to each task separately, so that they can access other AWS resources that they need4. By using IAM roles for tasks, the solutions architect can avoid passing IAM credentials into the container at launch time, which is less secure and more prone to errors5.

awsvpc network mode

Task networking with the awsvpc network mode

Security groups for your VPC

IAM roles for tasks

Best practices for managing AWS access keys

Automating the process of increasing service quotas for Amazon EC2 instances in new AWS accounts with minimal operational overhead can be effectively achieved by using Amazon EventBridge, Amazon SNS, and AWS Lambda. An EventBridge rule can detect the creation of a new account and trigger an SNS topic, which in turn invokes a Lambda function. This function can then programmatically request a service quota increase for EC2 instances using the AWS Service Quotas API. This approach streamlines the process, reduces manual intervention, and ensures that new accounts are automatically configured with the desired service quotas.

Amazon EventBridge Documentation: Provides guidance on setting up event rules for detecting AWS account creation.

AWS Lambda Documentation: Details how to create and configure Lambda functions to perform automated tasks, such as requesting service quota increases.

AWS Service Quotas Documentation: Offers information on managing and requesting increases for AWS service quotas programmatically.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html

https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-prereqs-considerations.html

it will use the ALB to handle the unpredictable bursts of traffic and route it to the SQS queue. The SQS queue will act as a buffer to store incoming data temporarily and the container running in Amazon ECS with the Fargate launch type will process messages in the queue. This approach will ensure that all data is processed and prevent data loss.

The company needs the application in the secondary Region to operate independently from the primary Region during disaster recovery. That means both the DynamoDB data and the relational customer data must be present and usable in the secondary Region without cross-Region dependencies at runtime. The company also wants the least development effort, which usually means using native managed replication features rather than building custom replication logic.

For DynamoDB, global tables are the managed multi-Region, multi-active replication feature. Global tables replicate changes between Regions automatically and allow applications in each Region to read and write to local DynamoDB tables, removing dependencies on the primary Region.

For the RDS for MySQL database, the straightforward managed approach for cross-Region disaster recovery with minimal development change is to create a cross-Region read replica in the secondary Region. A read replica uses asynchronous replication to keep data up to date. During a disaster recovery event, the company can promote the read replica in the secondary Region to become a standalone primary database instance. This provides a simple, low-development approach for having the data in the secondary Region. The application in the secondary Region can be configured to use the replica endpoint in normal times and can continue operating with the promoted instance during failover.

Option A combines DynamoDB global tables with an RDS read replica in the secondary Region. This is the least development effort because it uses AWS-managed replication for both data stores and requires only configuration changes and endpoint selection in the secondary application.

Option B is not correct because DAX is a caching layer for DynamoDB, not a replication or disaster recovery mechanism. DAX does not replicate DynamoDB tables into another Region and cannot replace having the DynamoDB data present in the secondary Region.

Option C is incorrect because RDS Multi-AZ is a high availability feature within a single Region, using synchronous replication to a standby in another Availability Zone. Multi-AZ does not create a standby in a different Region, and it does not provide cross-Region DR by itself.

Option D is less desirable because it requires custom development and operations: processing DynamoDB streams, building and operating a replication pipeline, and ensuring correctness and ordering across Regions. This is higher development effort than enabling DynamoDB global tables.

Therefore, using DynamoDB global tables plus an RDS read replica in the secondary Region (option A) meets the DR independence requirement with the least development effort.

This solution requires minimal operational overhead, as it only requires setting up AWS IoT Core and creating a thing for each device. (Reference: AWS Certified Solutions Architect - Professional Official Amazon Text Book, Page 537)

AWS IoT Core is a fully managed service that enables secure, bi-directional communication between internet-connected devices and the AWS Cloud. It supports the MQTT protocol and includes built-in device authentication and access control. By using AWS IoT Core, the company can easily provision and manage the X.509 certificates for each device, and connect the devices to the service with minimal operational overhead.

Comprehensive and Detailed Explanation From Exact Extract:

D is required because the only reliable way to ensure newly launched Auto Scaling instances are patched is to make the launch template reference an AMI that already includes the latest security updates (an immutable image approach). AWS Systems Manager can automate building and maintaining patched AMIs (for example, through automated image creation workflows), after which the launch template is updated to the new AMI and the fleet is updated using Instance Refresh. Instance Refresh performs a controlled rolling replacement of instances so that the Auto Scaling group converges to the new AMI baseline.

C complements D by ensuring safe replacement and availability during the refresh/replacement process. Placing an ALB in front of the Auto Scaling group with health checks ensures that only healthy, fully bootstrapped/patched instances receive traffic, and that traffic is drained away from instances being replaced. Monitoring target health confirms the rollout is successful and minimizes risk during patch-driven reboots or instance replacement.

Why the other options are incorrect:

A: A termination policy setting does not ensure new instances are patched. It only affects which instances are terminated first. It does not solve the “launch patched instances” requirement.

B: Running two Auto Scaling groups and continuing in-place patching increases operational overhead and still risks drift and unpatched capacity when scaling occurs outside the maintenance window. It also does not address the core issue: the launch template AMI baseline.

E: NLB + termination protection does not ensure instances are patched at launch. Termination protection can interfere with Auto Scaling’s ability to replace instances, and NLB does not inherently provide the same application-layer health check behavior and deployment safety patterns typically used for rolling replacements (compared to ALB target group health checks).

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html

You can set up CloudFront with origin failover for scenarios that require high availability. To get started, you create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin.

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

Migrate the database to Amazon Aurora MySQL. - Create an Amazon Aurora Replica. - Use RDS Proxy in front of the database. - These options are correct because they address the requirement of reducing the failover time to less than 20 seconds. Migrating to Amazon Aurora MySQL and creating an Aurora replica can reduce the failover time to less than 20 seconds. Aurora has a built-in, fault-tolerant storage system that can automatically detect and repair failures. Additionally, Aurora has a feature called "Aurora Global Database" which allows you to create read-only replicas across multiple AWS regions which can further help to reduce the failover time. Creating an Aurora replica can also help to reduce the failover time as it can take over as the primary DB instance in case of a failure. Using RDS proxy can also help to reduce the failover time as it can route the queries to the healthy DB instance, it also helps to balance the load across multiple DB instances.

The company wants logging that helps troubleshoot email delivery issues and also wants to search by recipient, subject, and time sent. Amazon SES provides event publishing for email sending and delivery events through configuration sets. With a configuration set, SES can publish sending events such as send, delivery, bounce, complaint, reject, and rendering failure to destinations such as Amazon CloudWatch, Amazon SNS, or Amazon Kinesis Data Firehose. For building a searchable log store, delivering these events into Amazon S3 through Kinesis Data Firehose is an effective approach because S3 provides durable storage and integrates well with query services.

Option A creates an SES configuration set with a Kinesis Data Firehose destination that delivers logs to an S3 bucket. This captures detailed SES event data that is directly useful for troubleshooting delivery issues and retaining historical records for analysis.

Once logs are stored in Amazon S3, Amazon Athena can query the data using SQL. Athena is designed to query data in S3 and is well suited for ad hoc searches. This meets the requirement to search based on recipient, subject, and time sent, assuming the event schema includes these fields (or they are included in the published event payload). Therefore, option C completes the solution by enabling searches over the stored log dataset.

Option B (CloudTrail) records API activity, such as calls made to SES APIs, but it is not designed to capture per-message delivery outcomes (deliveries, bounces, complaints) in a way that supports troubleshooting delivery behavior and detailed email event searching. CloudTrail is useful for auditing who called SES APIs, not for tracking message-level delivery events and outcomes.

Option D (CloudWatch log group) is another valid SES event publishing destination, but if the requirement is to perform flexible searches by multiple dimensions over a potentially large historical dataset, storing the logs in S3 and querying with Athena is a more direct and scalable pattern. Also, the provided option E is incorrect because Athena queries data in S3, not in CloudWatch Logs. CloudWatch Logs has its own query mechanism, but Athena is not used to query CloudWatch Logs directly in the way described.

Option E is incorrect because Amazon Athena does not query CloudWatch Logs as a log store. The typical searchable pattern for Athena is S3-backed datasets.

Therefore, the best combination to satisfy logging and searchable analysis requirements is to publish SES events to S3 via Kinesis Data Firehose (option A) and query those logs with Athena (option C).

This solution uses a combination of AWS Resource Access Manager (RAM) and automated backups to migrate the Lambda functions and the Aurora database to theTarget account while minimizing downtime. In this solution, the Lambda function deployment package is downloaded from the Source account and used to create new Lambda functions in the Target account. The Aurora DB cluster is shared with the Target account using AWS RAM and the Target account is granted permission to clone the Aurora DB cluster, allowing for a new copy of the Aurora database to be created in the Target account. This approach allows for the data to be migrated to the Target account while minimizing downtime, as the Target account can use the cloned Aurora database while the original Aurora database continues to be used in the Source account.

an AWS Lambda function in the backup region to promote the read replica and modify the Auto Scaling group values, and then configuring Route 53 with a health check that monitors the web application and sends an Amazon SNS notification to the Lambda function when the health check status is unhealthy. Finally, the application's Route 53 record should be updated with a failover policy that routes traffic to the ALB in the backup region when a health check failure occurs. This approach provides automatic failover to the backup region when a health check failure occurs, reducing the RTO to less than 15 minutes. Additionally, this approach is cost-effective as it does not require an active-active strategy.

The analytics team wants to copy only a subset of the data, run the copy as soon as data is ready, and receive notifications when the process completes. AWS DataSync supports the use of manifest files to control exactly which files or objects are transferred. By generating a manifest file on premises that lists only the relevant data and uploading that manifest to Amazon S3, the company can precisely limit what DataSync copies, which reduces data transfer costs and processing overhead.

Option A satisfies the requirement to identify only analytics-relevant data by creating and uploading a manifest file that lists the objects to be transferred. This avoids copying unnecessary data and is cost-effective.

Option D uses Amazon S3 Event Notifications to trigger an AWS Lambda function as soon as the manifest file is uploaded. The Lambda function starts the DataSync task and references the manifest file. This ensures that the copy process begins immediately after data generation, rather than waiting for a fixed schedule, which meets the “as soon as possible” requirement.

Option E provides a fully managed and scalable notification mechanism. AWS DataSync publishes task execution state changes as events. Amazon EventBridge can capture SUCCESS or ERROR states and route those events to Amazon SNS, which can then send email notifications. This approach avoids custom polling logic and minimizes operational overhead.

Option B and C introduce Amazon DynamoDB unnecessarily. DataSync can directly consume a manifest file from Amazon S3, so loading manifest data into DynamoDB and orchestrating copy logic manually adds cost and complexity without benefit.

Option F relies on a custom Lambda function to monitor task state changes, which increases operational overhead compared to the native EventBridge integration with DataSync.

Therefore, using S3-based manifests, event-driven invocation of DataSync, and EventBridge-based notifications is the most cost-effective and operationally efficient solution.

A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast-2) for SageMaker training and endpoint usage. This enablesautomatic quota increasesfor newly created accounts in the org.

B, C, and D misconfigure either region or quota type.

The most operationally efficient solution for turning on AWS CloudTrail across multiple AWS accounts managed within an AWS Organization is to create a single CloudTrail trail in the organization's management account and configure it to log events for all accounts within the organization. This approach leverages CloudTrail's ability to consolidate logs from all accounts in an organization, thereby simplifying management, reducing overhead, and ensuring consistent logging across accounts. This method eliminates the need for manual intervention in each account, making it an operationally efficient choice for organizations planning to scale their AWS usage.

AWS CloudTrail Documentation: Provides detailed instructions on setting up CloudTrail, including how to configure it for an organization.

AWS Organizations Documentation: Offers insights into best practices for managing multiple AWS accounts and how services like CloudTrail integrate with AWS Organizations.

AWS Best Practices for Security and Governance: Guides on how to effectively use AWS services to maintain a secure and well-governed AWS environment, with a focus on centralized logging and monitoring.

AWS Cost Anomaly Detection is a feature of the AWS Cost Management suite that leverages machine learning to enable continuous monitoring of your AWS costs and usage, allowing you to identify unexpected and abnormal spending1. You can create cost monitors that evaluate specific AWS services, member accounts, cost allocation tags, orcost categories based on your AWS account structure2. You can also configure alert subscriptions that notify you when a cost monitor detects an anomaly that meets your threshold2. In this case, you can create a cost monitor with a monitor type of AWS Service and apply a filter of Amazon EC2 to track the EC2 usage as a metric. You can then configure an alert subscription to notify the architecture team if the usage is 10% more than the average usage for the last 30 days, which is the anomaly detection period used by AWS Cost Anomaly Detection3.

The company should create a Network Load Balancer (NLB) and associate it with one static IP address in multiple Availability Zones. The company should also create an ALB-type target group for the NLB and add the existing ALB. The company should add the NLB IP addresses to the firewall appliance and update the clients to connect to the NLB. This solution will allow traffic flow to AWS from the on-premises network by using static IP addresses that can be added to the firewall appliance’s allow list. The NLB will forward requests to the ALB, which will use path-based routing to forward requests to the target groups.

AWSKMS multi-Region keysallow encryption in one Region and decryption in another. This is specifically built forcross-Region replication scenarios, like Amazon S3 Cross-Region Replication (CRR).

With a multi-Region key, youcreate a primary keyin one Region andreplica keysin others. These replicas share the same key material and key ID.

Option B would fail because different keys = different IDs = decryption mismatch.

Option C is unrelated — Private CA is for certificates, not symmetric key encryption.

Option D is insecure and violates AWS KMS key management best practices.

Log Tenant ID and RCUs/WCUs:

Update the AWS Lambda functions to log the tenant ID and the number of Read Capacity Units (RCUs) and Write Capacity Units (WCUs) consumed from DynamoDB for each transaction.This data will be logged to Amazon CloudWatch Logs.

Calculate Tenant Costs:

Deploy an additional Lambda function that reads the logs from CloudWatch Logs, calculates the RCUs and WCUs used by each tenant, and then uses the AWS Cost Explorer API to retrieve the overall cost of DynamoDB usage. This function will then allocate the costs to each tenant based on their usage.

Scheduled Cost Calculation:

Create an Amazon EventBridge rule to trigger the cost calculation Lambda function at regular intervals (e.g., daily or hourly). This ensures that cost allocation is continuously updated and tenants are billed accurately based on their consumption.

This solution minimizes operational effort by automating the cost allocation process and ensuring that the company can accurately bill tenants based on their resource consumption.

References

AWS Cost Explorer Documentation

Amazon CloudWatch Logs Documentation

AWS Lambda Documentation

You can use the management account of the organization in AWS Billing and Cost Management console to turn off RI sharing for the HR department's production AWS account. This will prevent other departments from sharing the RI discounts and ensure that only the HR department can use the RIs purchased in their production account.

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable thecompany to centrally manage the creation of infrastructure services and control who can use them1. AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on AWS2. You can organize products into portfolios, which are collections of products along with configuration information3. You can share portfolios with other accounts in your organization using AWS Organizations4.

Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.

Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.

Creating a product from an existing CloudFormation template

What is AWS Service Catalog?

Working with portfolios

Sharing a portfolio with AWS Organizations

[Providing least privilege access for users]

[AWS managed policies for job functions]

[Importing shared portfolios]

[Enforcing tag policies]

[Working with TagOptions]

[Creating a TagOption Library]

[Applying TagOptions]

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html#placement- groups-cluster

Using AWS CloudFormation to launch a stack with an Application Load Balancer (ALB) in front of an Amazon EC2 Auto Scaling group spanning three Availability Zones, a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a Retain deletion policy, and an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB will ensure that

https://aws.amazon.com/premiumsupport/knowledge-center/aws-batch-requests-error/

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-429-limit/

The main problem is that one client is generating a large number of PUT requests, resulting in increased errors. Because the clients are authenticated by API keys and the problematic traffic is concentrated among a small set of clients, API Gateway usage plans and throttling are a direct control mechanism to limit the request rate per client (or per API key). The API is noncritical and clients can tolerate retries, so returning throttling responses is acceptable as long as clients handle them correctly. The goal is to reduce visible customer-facing errors and protect the API from being overwhelmed by a single client.

API Gateway usage plans can set request throttling limits (rate and burst) per API key. When a client exceeds the configured throttle, API Gateway returns HTTP 429 (Too Many Requests). If the client application is designed to treat 429 as a normal, retryable condition rather than a fatal error, the user experience improves because the client can back off and retry instead of surfacing raw failures. This approach prevents one noisy client from degrading service for other users and reduces the overall error rate.

Option B addresses the root cause (excess requests from a particular client) by enforcing throttling at the API Gateway layer and improving client behavior when throttled.

Option A focuses on client-side retries and error handling but does not enforce fairness or prevent a single client from consuming disproportionate API capacity. Without throttling, the same client can continue to overload downstream Lambda and DynamoDB capacity and still cause errors for everyone.

Option C (API caching) does not help for PUT requests because PUT operations are writes and are generally not cacheable in a way that reduces write load. Caching is mainly beneficial for GET responses and read-heavy workloads.

Option D (reserved concurrency) can protect Lambda capacity for critical functions, but it can also cause throttling at the Lambda layer and does not directly address controlling the request rate per API key. It also does not fix the issue at the API front door where the noisy client should be managed.

Therefore, implementing API Gateway throttling via a usage plan and ensuring clients handle 429 responses properly is the best recommendation.

By splitting the 12 instances across three Availability Zones, the system can maintain high availability and availability of resources in case of a failure. Option D also uses a combination of On-Demand Instances with Capacity Reservations and Spot Instances, which allows for scheduled jobs to be run on the On-Demand instances with guaranteed capacity, while also taking advantage of the cost savings from Spot Instances for the user jobs which have lower SLA requirements.

A is correct because:

DynamoDB global tablesallow for multi-Region, active-active usage.

RDS MySQL read replicain another Region supports read workloads and can bepromotedduring disaster to act as a standalone DB.

B is incorrect: DAX is a cache, not a replication mechanism.

C is wrong because Multi-AZ doesn’t span Regions.

D is more manual and error-prone.

This option allows the solutions architect to use a DeletionPolicy attribute to specify how AWS CloudFormation handles the deletion of an S3 bucket when the stack is deleted1. By setting the value of Delete, the solutions architect can instruct CloudFormation to delete the bucket and all of itscontents1. This option does not require any major changes to the application’s architecture or any additional resources.

Deletion policies

https://aws.amazon.com/migration-evaluator/features/

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

The workload must be deployed to a second AWS Region to reduce latency for users while maintaining business continuity. Because more than 95% of operations are read operations, the database layer must efficiently support low-latency reads in multiple Regions without introducing complex replication logic or sacrificing availability.

Amazon Aurora MySQL global database is specifically designed for multi-Region deployments. It provides a single primary Region for writes and up to multiple secondary Regions with read-only replicas that use low-latency, storage-based replication. This architecture is well suited for read-heavy workloads because read traffic can be served locally in each Region while writes are centralized. Aurora global database also supports fast recovery and promotes a secondary Region in the event of a primary Region failure, which satisfies business continuity requirements.

Option A correctly migrates the existing RDS for MySQL database to an Aurora MySQL global database and deploys application infrastructure (ALB and Auto Scaling group) in the second Region. This enables applications in each Region to read from the closest Aurora replica, reducing read latency while preserving a managed, highly available database architecture.

To route users to the closest healthy Region, DNS-based traffic management is required. Route 53 latency-based routing directs users to the endpoint (ALB) with the lowest latency from their location. This directly addresses the requirement to reduce application latency while also supporting multi-Region availability.

Option C provides this routing capability by configuring latency-based routing with Route 53 and pointing records to both ALBs. Route 53 continuously evaluates latency and health checks to route traffic appropriately, which supports both performance and business continuity.

Option B is not sufficient because migrating to a separate Multi-AZ database in another Region does not provide a shared data layer or managed cross-Region replication. This would require custom replication and conflict resolution and does not maintain a single logical dataset across Regions. CloudFront improves content delivery for static assets but does not solve database read latency or data consistency.

Option D uses geolocation routing, which routes traffic based on user location rather than actual measured latency. This is less precise than latency-based routing and does not automatically adapt to changing network conditions or Region health.

Option E introduces Aurora Serverless v2, which is not designed for multi-Region global database replication. Aurora Serverless v2 focuses on scaling capacity within a Region, not on reducing latency across Regions or providing managed global read replicas.

Therefore, migrating to an Aurora MySQL global database and using Route 53 latency-based routing provides low-latency reads, high availability, and business continuity with minimal operational overhead.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The current CI/CD pipeline uses an IAM user with long-lived access keys stored in GitHub Actions. The new requirement is that pipelines must not use long-lived secret keys. Instead, the solution should provide short-lived credentials with minimal operational overhead.

GitHub Actions natively supports integration with cloud providers using OpenID Connect (OIDC). With OIDC, GitHub acts as an identity provider that can issue OIDC tokens to workflows. On the AWS side, IAM supports configuring an OIDC identity provider and roles that can be assumed by principals presenting valid OIDC tokens through the sts:AssumeRoleWithWebIdentity API. This pattern enables short-lived, automatically rotated credentials for CI/CD jobs without storing long-lived secrets.

In the correct solution (option B), you configure an IAM OIDC identity provider for GitHub in the AWS account. You then create a new IAM role with a trust policy that allows the Github OIDC provider to call sts:AssumeRoleWithWebIdentity, with conditions that restrict which repositories or workflows can assume the role. The existing IAM policy that grants deployment permissions is attached to that role. In GitHub Actions, you update the pipeline configuration to request an OIDC token and assume the IAM role at runtime. Each workflow run receives short-lived credentials without storing static keys, and AWS automatically handles the token verification and temporary credential issuance. This approach is the AWS-recommended pattern for integrating GitHub Actions with AWS without long-lived secrets and has low operational overhead once configured.

Option A uses SAML 2.0, which is typically used for enterprise single sign-on for users, not for GitHub Actions workflows. GitHub does not natively use SAML to obtain AWS credentials for CI/CD pipelines in the same streamlined way as OIDC, and implementing a SAML-based integration would add unnecessary complexity.

Option C introduces Amazon Cognito as an indirection layer. Although Cognito can federate with external identity providers, including social providers, using it as an intermediary to obtain temporary AWS credentials for a machine-to-machine CI/CD pipeline is not necessary when IAM OIDC federation with GitHub is directly supported. This adds additional configuration and operational overhead.

Option D uses IAM Roles Anywhere with client certificates from AWS Private CA. Roles Anywhere is designed for workloads running outside AWS that need to assume IAM roles using X.509 certificates instead of access keys. While technically possible, it requires managing private certificates, trust anchors, and a credential helper tool, which is more complex and operationally heavier than the direct OIDC integration specifically designed for GitHub Actions.

Therefore, configuring an IAM OIDC identity provider for GitHub and creating an IAM role to be assumed via sts:AssumeRoleWithWebIdentity (option B) meets the requirement to replace long-lived secret keys with short-lived credentials with the least operational overhead.

All features – The default feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. For example, when all features are enabled the management account of the organization has full control over what member accounts can do. The management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access.https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

Migrating to an Amazon EKS cluster with managed node groups minimizes the effort required because:

EKS is fully managed, offering native Kubernetes support, making it easy to deploy the existing Kubernetes manifests without major changes.

Copying containers to Amazon ECR allows for fully managed, scalable container image storage in AWS, eliminating reliance on the on-premises container repository.

Deploying the existing manifests directly to EKS reuses all the existing configuration, such as service definitions, deployments, and scaling policies, simplifying migration.

Using Amazon Aurora PostgreSQL provides a fully managed, highly available database service that is compatible with PostgreSQL, reducing operational overhead compared to managing a self-hosted database.This approach leverages the power of AWS managed services while preserving the existing microservices and deployment practices, ensuring minimal disruption and fastest migration path.

Using a DHCP options set in AWS allows EC2 instances to automatically receive network configuration information, including the IP address of the on-premises NTP server.

This ensures that all EC2 instances in the VPC consistently use the on-premises atomic clock as their authoritative time source, maintaining the same time synchronization as the existing environment.

By allowing NTP traffic over the Direct Connect connection and ensuring proper security group and network ACL configurations, this approach eliminates the need to manually configure each EC2 instance’s NTP settings, significantly reducing administrative overhead and ensuring consistent, accurate time across the environment.

This aligns with AWS best practices for extending on-premises time synchronization to EC2 instances in a hybrid environment.

Transfer acceleration. S3 Transfer Acceleration utilizes the Amazon CloudFront global network of edge locations to accelerate the transfer of data to and from S3 buckets. By enabling S3 Transfer Acceleration on the centralized S3 bucket, the users in Europe will experience faster uploads as their data will be routed through the closest CloudFront edge location.

Configuring an S3 Lifecycle policy to expire incomplete multipart uploads after 7 days prevents storage of partially uploaded objects, avoiding unnecessary costs from failed uploads.

Additionally, implementing a lifecycle policy to transition objects to S3 Standard-IA after 180 days ensures older videos that are rarely accessed move to a lower-cost storage class, significantly reducing storage costs.

These measures are aligned with AWS cost optimization best practices for S3 data lifecycle management.

Resource-based policies are policies that you attach to a resource, such as an IAM role, to specify who can access the resource and what actions they can perform on it1. Identity-based policies are policies that you attach to an IAM user, group, or role to specify what actions they can perform on which resources2. Trust policies are special types of resource-based policies that define which principals (such as IAM users or roles) can assume a role3.

To allow an IAM user in Account A to assume a role in Account B, the solutions architect needs to do the following:

Configure the resource-based policy on the target role in Account B to allow the action sts:AssumeRole for the IAM user in Account A. This policy grants permission to the IAM user to assume the role4.

Configure the identity-based policy on the user in Account A to allow the action sts:AssumeRole for the target role in Account B. This policy grants permission to the user to perform the action of assuming the role5.

Configure the trust policy on the target role in Account B to allow the principal of the IAM user in Account A. This policy defines who can assume the role.

Resource-based policies

Identity-based policies

Trust policies

Granting a user permissions to switch roles

Switching roles

[Modifying a role trust policy]

The company wants backups to be stored in an isolated central account designed for WORM storage. With AWS Organizations, AWS Backup supports centralized, cross-account backup management through delegated administration, backup policies, and cross-account backup vault usage. This provides the least operational overhead and scales to dozens of databases.

A key constraint is encryption. The databases are encrypted with the default RDS AWS KMS key. AWS-managed KMS keys (including the default RDS KMS key) are not customer-managed and generally cannot be shared across accounts for cross-account snapshot copy and cross-account backup workflows that require key sharing and explicit grants. For cross-account backup copies, the source backups must be encrypted with a customer managed KMS key that can be shared (via key policy and grants) with the destination account. Therefore, the company must move away from using the default RDS AWS-managed key for encryption of snapshots that will be copied across accounts.

Option A uses the correct managed approach: enable trusted access and backup policies in Organizations, make the central account the delegated administrator, and use AWS Backup to manage cross-account backups into a central backup vault. It also correctly introduces a customer managed KMS key in the central account for the backup vault and shares that key with the production account. Because the existing databases are encrypted with the default RDS AWS-managed key, option A includes the necessary remediation step: restore (or otherwise recreate) the databases so they are encrypted with the shared customer managed KMS key, enabling future backups and copies to be encrypted with a shareable key and stored in the central vault.

Option B is not workable because it requires “sharing the default RDS KMS key” with another account and using it for the central vault. AWS-managed keys are not shared and are not controlled by customers in a way that supports this cross-account backup model. Therefore, this option fails the encryption requirement.

Option C and option D rely on decrypting snapshots, copying them as unencrypted, and then re-encrypting. This is not a valid or safe operational pattern for RDS automated backups at scale, and it conflicts with typical constraints around snapshot encryption transitions. It also introduces substantial custom automation and operational overhead, and it undermines the objective of a controlled WORM backup account by manipulating encryption state through custom code. Additionally, “decrypting snapshots” is not how encrypted RDS snapshots are typically handled; encrypted snapshots remain encrypted and are copied re-encrypted with a different KMS key that the destination can use, which requires a customer managed key and proper permissions.

Therefore, the successful and scalable solution is to centralize backups with AWS Backup and ensure the databases are encrypted with a customer managed KMS key that can be shared cross-account, as described in option A.

Turning on the cross-account management feature in AWS Backup will enable managing and monitoring backups across multiple AWS accounts that belong to the same organization in AWS Organizations1. Creating a backup plan that specifies the frequency and retention requirements will enable taking snapshots every 6 hours and retaining them for 30 days2. Adding a tag to the DB instances will enable applying the backup plan by using tags2. Using AWS Backup to monitor the status of the backups will enable having a consolidated view of the health of the RDS snapshots1.

The best option is to use an Auto Scaling group, a Network Load Balancer, Amazon Route 53, and Amazon DynamoDB to create a scalable, highly available, and low-latency online game application. An Auto Scaling group can automatically adjust the number of EC2 instances based on the demand and traffic in each Region. A Network Load Balancer can distribute the incoming traffic across the EC2 instances and handle millions of requests per second. Amazon Route 53 can use latency-based routing to direct the users to the Region that provides the best performance. Amazon DynamoDB global tables can replicate the game metadata across multiple Regions, ensuring consistency and availability of thedata. This approach minimizes the operational overhead and cost, as it leverages fully managed services and avoids custom logic or replication.

Option A is not optimal because using an EC2 Spot Fleet can introduce the risk of losing the EC2 instances if the Spot price exceeds the bid price, which can affect the availability and performance of the game. Using AWS Global Accelerator can improve the network performance, but it is not necessary if Amazon Route 53 can already route the users to the closest Region. Using Amazon RDS for MySQL can store the game metadata, but it requires setting up read replicas and managing the replication lag across Regions, which can increase the complexity and cost.

Option B is not optimal because using geoproximity routing can direct the users to the Region that is geographically closer, but it does not account for the network latency or performance. Using MySQL databases on EC2 instances can store the game metadata, but it requires managing the EC2 instances, the database software, the backups, the patches, and the replication across Regions, which can increase the operational overhead and cost.

Option D is not optimal because using EC2 Global View is not a valid service. Using a custom DNS server on an EC2 instance can redirect the user to the Region that provides the lowest latency, but it requires developing and maintaining the custom logic, as well as managing the EC2 instance, which can increase the operational overhead and cost. Using Amazon Aurora global database can store the game metadata, but it is more expensive and complex than using Amazon DynamoDB global tables.

Auto Scaling groups

Network Load Balancer

Amazon Route 53

Amazon DynamoDB global tables

Configuring the workload to use topology spread constraints that are based on Availability Zone will maximize the node resilience of the workload node groups. This will ensure that the pods are evenly distributed across different Availability Zones, reducing the impact of failures or disruptions in one Availability Zone2. This will also improve the availability and scalability of the workload node groups, as they can leverage the low-latency, high-throughput, and highly redundant networking between Availability Zones1.

The correct answer is C. This option uses AWS CloudTrail to create a trail in the organization’s management account that applies to all accounts in the organization. This way, the company can centrally manage and audit all API calls to AWS resources across multiple accounts and regions. The company also needs to create a new Amazon S3 bucket with versioning turned on to store the logs. Versioning helps protect against accidental or malicious deletion of log files by keeping multiple versions of each object in the bucket. The company also needs to enable MFA delete and encryption on the S3 bucket to further enhance the security and durability of the data store.

Option A is incorrect because it uses an existing S3 bucket in the organization’s management account to store the logs. This may not be optimal for regulatory compliance, as the existing bucket may have different permissions, encryption settings, or lifecycle policies than a dedicated bucket for CloudTrail logs.

Option B is incorrect because it requires creating a new CloudTrail trail in each member account of the organization. This adds operational overhead and complexity, as the company would need to manage multiple trails and S3 buckets across multiple accounts and regions.

Option D is incorrect because it requires configuring Amazon SNS to send log-file delivery notifications to an external management system that will track the logs. This adds unnecessary complexity and cost, as CloudTrail already provides log-file integrity validation and log-file digest delivery features that can help verify the authenticity and integrity of log files.

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role.https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/

This approach allows the procurement managers to assume the procurement-manager-role in shared services accounts, which have the AWSPrivateMarketplaceAdminFullAccess managed policy attached to it and can then manage the Private Marketplace. The organization root-level SCP denies the permission to administer Private Marketplace to everyone except the role named procurement-manager-role and another SCP denies the permission to create an IAM role named procurement-manager-role to everyone in the organization, ensuring that only the procurement team can assume the role and manage the Private Marketplace. This approach provides a centralized way to manage and restrict access to Private Marketplace while maintaining a high level of security.

The application is business-critical with an SLA requirement of 99.95% uptime and is currently limited by an on-premises data center. The architecture includes a PostgreSQL database and separate business logic and presentation layers. Remote users experience high latency when accessing the application, which is latency-sensitive.

To meet or exceed a 99.95% SLA for the database while minimizing operational burden, a managed database service with built-in high availability is preferred. Amazon Aurora PostgreSQL-compatible editions provide high availability and durability by automatically replicating data across multiple Availability Zones in a Region. Aurora can offer higher availability and faster failover compared to self-managed databases on EC2, and offloads patching, backups, and maintenance.

For the application and presentation layers, running them on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer preserves the basic architecture (stateless application servers behind a load balancer) while moving to a managed, highly available environment that can scale out and in automatically based on demand. This results in minimal changes to the application components and provides improved resilience compared to on-premises VMs.

Remote users experience slow load times because their desktop clients connect over higher-latency networks to the on-premises servers. By using Amazon AppStream 2.0, the application can be streamed from AWS to end users. AppStream 2.0 runs the desktop application close to the backend database and application servers within AWS, and streams only the display and input over the network. This significantly reduces the effect of latency between the user and the application backend, improving user experience, especially for latency-sensitive desktop applications, without requiring major changes to the application itself.

Option A uses a PostgreSQL database on EC2, which requires the customer to manage availability, backups, patching, and failover. This does not provide the same managed high-availability guarantees as Aurora or RDS Multi-AZ. It also suggests allocating a full Amazon WorkSpaces desktop per user, which can be more expensive and more complex than streaming only the application via AppStream 2.0.

Option C uses Amazon RDS for PostgreSQL with Multi-AZ configuration, which provides high availability and is a valid managed option. However, it runs the application and presentation layers on Fargate containers behind a Network Load Balancer. NLB is typically used for TCP-level load balancing and is better suited for protocols that require low-level handling, whereas HTTP/HTTPS web applications are commonly placed behind an Application Load Balancer, which provides advanced HTTP routing features. Also, ElastiCache can reduce database load and improve response times but does not directly solve the end-user network latency issue in a desktop client scenario.

Option D is incorrect because Amazon Redshift is a data warehouse service, not an operational PostgreSQL-compatible database for transaction processing. It is not appropriate for hosting the application’s primary relational database. CloudFront accelerates delivery of static and cached web content, not interactive desktop client-server traffic.

Therefore, migrating the database to Aurora PostgreSQL, running the application and presentation layers on EC2 Auto Scaling behind an Application Load Balancer, and using Amazon AppStream 2.0 to deliver the application to remote users (option B) meets the availability requirements, improves user experience, requires relatively little change to the application architecture, and minimizes operational costs compared to more complex or less-managed alternatives.

This option allows the company to use AWS Client VPN to enable secure and private access to the Amazon ES cluster from any location1. By configuring and setting up an AWS Client VPN endpoint, the company can create a secure tunnel between the developers’ devices and the VPC2. By associating the Client VPN endpoint with a subnet in the VPC, the company can ensure that the trafficfrom the developers’ devices is routed to the Amazon ES cluster within the VPC3. By configuring a Client VPN self-service portal, the company can enable the developers to download and install the client for Client VPN, which is based on OpenVPN4. By instructing the developers to connect by using the client for Client VPN, the company can allow them to access Amazon ES to analyze and visualize logs directly from their local development machines.

What is AWS Client VPN?

Creating a Client VPN endpoint

Associating a target network with a Client VPN endpoint

Configuring a self-service portal

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied" This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

Store Secret in AWS Secrets Manager:

Create a random string in AWS Secrets Manager to be used as a custom HTTP header value.

Set Up Automatic Rotation:

Implement a Lambda function to handle automatic rotation of the secret in AWS Secrets Manager, ensuring the header value remains secure.

Configure CloudFront Custom Header:

In the CloudFront distribution settings, configure an origin custom header with the name and value from AWS Secrets Manager. This header will be included in requests forwarded to the ALB.

Create AWS WAF Web ACL:

Create a Web ACL in AWS WAF with a string match rule to allow requests that include the custom header with the correct value.

Associate the Web ACL with the ALB to filter incoming traffic based on the custom header.

By using this method, you can ensure that only requests coming through CloudFront (which injects the custom header) can reach the ALB, enhancing the origin security

The company should create a new AWS WAF web ACL. The company should add a new rule that blocks requests that match the SQL database rule group. The company should set the web ACL to allow all other traffic that does not match those rules. The company should attach the web ACL to the ALB in front of the ECS tasks. This solution will meet the requirements because AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked1. By creating a new AWS WAF web ACL, the company can create a collection of rules that define the conditions for allowing or blocking web requests. By adding a new rule that blocks requests that match the SQL database rule group, the company can prevent SQL injection attacks from reaching the ECS API service. The SQL database rule group is a managed rule group provided by AWS that contains rules to protect against common SQL injection attack patterns2. By setting the web ACL to allow all other traffic that does not match those rules, the company can ensure that legitimate traffic can access the API service. By attaching the web ACL to the ALB in front of the ECS tasks, the company can apply the web security rules to all requests that are forwarded by the load balancer.

The other options are not correct because:

Creating a new AWS WAF Bot Control implementation would not prevent SQL injection attacks from reaching the ECS API service. AWS WAF Bot Control is a feature that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities. However, it does not protect against SQL injection attacks, which are malicious attempts to execute unauthorized SQL statements against your database3.

Creating a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks would not prevent SQL injection attacks from reaching the ECS API service. Monitoring mode is a feature that enables you to evaluate how your rules would perform without actually blocking any requests. However, this mode does not provide any protection against attacks, as it only logs and counts requests that match your rules4.

Creating a new AWS WAF web ACL and creating a new empty IP set in AWS WAF would not prevent SQL injection attacks from reaching the ECS API service. An IP set is a feature that enables you to specify a list of IP addresses or CIDR blocks that you want to allow or block based on their source IP address. However, this approach would not be effective or efficient against SQL injection attacks, as it would require constantly updating the IP set with new IP addresses of attackers, and it would not block attackers who use proxies or VPNs.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

A is correct becausedefault AWS-managed KMS keys cannot be shared across accounts. Therefore, the only way to enable cross-account backup is to restore each RDS instance using acustomer-managed key (CMK)andshare that keywith the central account.

Then, AWS Backup can performcross-account backup operationsusing AWS Organizations trusted access and backup policies.

Option B is incorrect due to theinability to share default keys.

Option C and D are technically invalid — RDS snapshots cannot be decrypted or re-encrypted manually.

Option A is incorrect because creating an SCP to set a fixed monthly account usage limit is not possible. SCPs are policies that specify the services and actions that users and roles can use in the member accounts of an AWS Organization. SCPscannot enforce budget limits or prevent users from launching costly services or running services unnecessarily1

Option B is correct because using AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets allows you to plan your service usage, service costs, and instance reservations. You can create budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount2

Option C is correct because creating an SCP to deny access to costly services and components meets the requirement of ensuring that developers are not launching costly services or running services unnecessarily. SCPs can restrict access to certain AWS services or actions based on conditions such as region, resource tags, or request time. For example, an SCP can deny access to Amazon Redshift clusters or Amazon EC2 instances with certain instance types1

Option D is incorrect because creating an IAM policy to deny access to costly services and components is not sufficient to meet the requirement of ensuring that developers are not launching costly services or running services unnecessarily. IAM policies can only control access to resources within a single AWS account. If developers have multiple accounts or can create new accounts, they can bypass the IAMpolicy restrictions. SCPs can apply across multiple accounts within an AWS Organization and prevent users from creating new accounts that do not comply with the SCP rules3

Option E is incorrect because creating an AWS Budgets alert action to terminate services when the budgeted amount is reached is not possible. AWS Budgets alert actions can only perform one of the following actions: apply an IAM policy, apply an SCP, or send a notification through Amazon SNS.AWS Budgets alert actions cannot terminate services directly.

Option F is correct because creating an AWS Budgets alert action to send an Amazon SNS notification when the budgeted amount is reached and invoking an AWS Lambda function to terminate all services meets the requirement of giving developers a fixed monthly budget to limit their AWS costs. AWS Budgets alert actions can send notifications through Amazon SNS when a budget threshold is breached. Amazon SNS can trigger an AWS Lambda function that can perform custom logic such as terminating all services in the developer’s account. This way, developers cannot exceed their budget limit and incur additional costs.

https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/

AWS Organizations allows the management of multiple AWS accounts as a single entity and AWS CloudFormation StackSets allows creating, updating, and deleting stacks across multiple accounts and regions in an organization. This solution allows creating a single CloudFormation template that can be deployed across multiple accounts and regions, and also allows for the management of access and permissions for the different accounts through the use of IAM roles and policies in the management account.

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-reduce-nat-gateway-transfer-costs/

VPC endpoint policies enable you to control access by either attaching a policy to a VPC endpoint or by using additional fields in a policy that is attached to an IAM user, group, or role to restrict access to only occur via the specified VPC endpoint

The best solution is to create an FSx for Windows File Server file system in the DR Region and establish connectivity between the VPCs in both Regions by using VPC peering. This will ensure that the data does not travel across the public internet and meets the compliance requirements. By using AWS DataSync with interface VPC endpoints and AWS PrivateLink, the data can be copied securely and efficiently between the FSx for Windows File Server file systems in both Regions. This solution also provides the ability to fail over to the DR Region in case of a disaster. References: [Amazon FSx for Windows File Server User Guide], [AWS DataSync User Guide], [Amazon VPC User Guide]

This is doable with IAM policy creation to restrict users to specific instance types. Found the below article.https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy

https://aws.amazon.com/blogs/database/amazon-dynamodb-auto-scaling-performance-and-cost-optimization-at-any-scale/ "As you can see, there are compelling reasons to use DynamoDB auto scaling with actively changing traffic. Auto scaling responds quickly and simplifies capacity management, which lowers costs by scaling your table’s provisioned capacity and reducing operational overhead."

Comprehensive and Detailed Explanation From Exact Extract:

C is correct because it converts the single–Availability Zone, single-EC2-instance ECS design into a managed, multi-AZ, self-healing architecture with minimal day-to-day operations. The current design has multiple single points of failure: one EC2 instance for ECS capacity and one Availability Zone for all components. Moving the ECS service to AWS Fargate removes the need to manage EC2 instances (capacity provisioning, patching, and scaling of the container instances) and allows the service to run tasks across multiple Availability Zones for higher availability. On the database side, modifying Aurora PostgreSQL to a Multi-AZ DB cluster (by adding a replica in another AZ) increases availability and supports faster recovery from an AZ failure with AWS-managed failover.

Why the other options are less suitable:

A: Making Aurora Multi-AZ improves database availability, but it does not address the compute layer’s biggest issue: ECS is on a single EC2 instance in one AZ with no auto scaling. RDS Proxy can help with connection management, but it does not fix the application’s single-AZ ECS single-instance availability risk.

B: Cross-Region read replicas and manual failover scripts increase operational burden. Also, it keeps ECS on EC2 (still requires instance management) and introduces a manual failover process, which is the opposite of “least operational overhead.”

D: Multi-Region active-active plus Aurora global database can deliver very high availability, but it adds significant complexity (multi-Region deployment, routing strategy, global database considerations, operational procedures). That is higher operational overhead than a straightforward multi-AZ design using managed services.

The current architecture uses a fleet of small EC2 instances that poll SQS for URLs and write results to EFS. Because URLs arrive only occasionally and each crawl takes 10 seconds or less, EC2 instances are often idle waiting for messages. This leads to unnecessary compute and storage costs.

This workload is naturally event-driven: each URL in the SQS queue triggers a short-lived crawl operation. AWS Lambda is well suited for such event-driven, short-duration tasks. Lambda integrates natively with Amazon SQS as an event source, which allows Lambda to poll the SQS queue automatically and invoke functions when messages arrive, scaling the concurrency up and down as needed. When there are no messages, there are no Lambda invocations and no compute charges, eliminating the cost of idle EC2 instances.

For storage of crawl results, Amazon S3 is a highly durable, cost-effective object store. The current use of an EFS file system mounted on all instances is no longer necessary if each Lambda invocation can write the output directly to S3 as objects (for example, CSV files). S3 charges only for the storage used and requests, and does not require continuously running file system infrastructure.

Option B replaces the idle fleet of EC2 instances with a Lambda function that reads from SQS. This aligns compute usage with actual work and takes advantage of serverless scaling and pricing.

Option E modifies the web-crawling process to store results in Amazon S3 instead of EFS, removing the need to maintain an EFS file system and its associated costs.

Option A increases instance size to m5.8xlarge, which greatly increases capacity and cost. Reducing the number of instances by 50% does not offset the large increase in instance size; it does not address idle capacity and likely increases overall cost.

Option C uses Amazon Neptune, which is a managed graph database service. It is not needed for storing simple CSV output; it is more complex and more expensive than S3 for this use case.

Option D uses Aurora Serverless MySQL. While Aurora Serverless can automatically scale, using a relational database to store simple crawl outputs adds unnecessary cost and operational complexity compared to S3 objects.

Therefore, moving the crawling logic to Lambda triggered by SQS (option B) and writing results directly to Amazon S3 (option E) meets the requirements in the most cost-effective way.

Implementing a CloudFront function that inspects the JWT information and appropriately forwards requests either to the ticketing service or the waiting room service within the Amazon ECS cluster enhances reliability during high load periods. This solution segregates the load between the main application and the waiting room, ensuring that the ticketing service remains unaffected by the high load on the waiting room. Using CloudFront functions for request routing based on JWT attributes allows for efficient distribution of user traffic, thereby maintaining the application's availability and performance during peak times.

AWS Documentation on Amazon CloudFront Functions provides guidance on creating and deploying functions that can inspect and manipulate HTTP(S) requests at the edge, close to the users. This approach is in line with best practices for scaling and managing high-traffic web applications.

In this scenario, the Amazon EC2 instances are in an Auto Scaling group already which means that the database read operations is the possible bottleneck especially during the month-end wherein the reports are generated. This can be solved by creating RDS read replicas.

The best migration strategy to meet the requirement of minimizing database service interruption before the DNS cutover is to use AWS DMS to migrate data between the two Aurora DB clusters. AWS DMS can perform continuous replication of data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift and Amazon S31. AWS DMS supports homogeneous migrations such as migrating from one Aurora MySQL DB cluster to another, as well as heterogeneous migrations between different database platforms2. AWS DMS also supports cross-account migrations, as long as the source and target databases are in the same AWS Region3.

The other options are not optimal for the following reasons:

Option A: Taking a snapshot of the existing Aurora database and restoring it in the new account would require a downtime during the snapshot and restore process, which could be significant for large databases. Moreover, any changes made to the source database after the snapshot would not be replicated to the target database, resulting in data inconsistency4.

Option C: Using AWS Backup to share an Aurora database backup from the existing AWS account to the new AWS account would have the same drawbacks as option A, as AWS Backup uses snapshots to create backups of Aurora databases.

Option D: Using AWS Application Migration Service to migrate data between the two Aurora DB clusters is not a valid option, as AWS Application Migration Service is designed to migrate applications, not databases, to AWS. AWS Application Migration Service can migrate applications from on-premises or other cloud environments to AWS, using agentless or agent-based methods.

https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/NAT-gateway-centralized-egress-ra.pdf?did=wp_card &trk=wp_card

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

The correct answer is D.

D. This solution meets the requirements because it uses a scheduled scaling policy for the EC2 instances, which can adjust the capacity according to the known sale events. It also uses Amazon Aurora PostgreSQL Multi-AZ DB cluster, which provides high availability and durability for the database. It uses Amazon EventBridge rules and AWS Lambda functions to create a larger Aurora Replica before a sale event and fail over to it, which can improve the performance and handle the increased traffic.It also uses anotherEventBridge rule and Lambda function to scale down the Aurora Replica after the sale event, which can save costs123

A. This solution is incorrect because it uses predictive scaling policy for the EC2 instances, which is not suitable for one-time events that are scheduled. Predictive scaling is based on historical data and machine learning, which may not accurately forecast the demand for sale events. It also uses Amazon Aurora PostgreSQL Serverless v2 Multi-AZ DB instance, which does not support read replicas.The use of AWS Step Functions state machine and Lambda functions to pre-warm the database is unnecessary and adds complexity45

B. This solution is incorrect because it uses Amazon RDS for PostgreSQL Multi-AZ DB instance with automatically scaling read replicas, which may not provide enough performance improvement for the sale events. The use of EventBridge rules and Lambda functions to create a larger read replica and fail over to it is risky and may cause downtime ordata loss.The use of another EventBridge rule and Lambda function to scale down the read replica is also risky and may cause inconsistency or data loss67

C. This solution is incorrect because it uses predictive scaling policy for the EC2 instances, which is not suitable for one-time events that are scheduled. Predictive scaling is based on historical data and machine learning, which may not accurately forecast the demand for sale events.The use of AWS Step Functions state machine and Lambda functions to pre-warm the database is unnecessary and adds complexity45

AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users1. It provides static IP addresses that act as a fixed entry point to your applications and route user traffic to the optimal endpoint based on performance, health, and policies that you configure1. By creating a standard accelerator endpoint for the NLB in each additional Region, you can ensure that customers are automatically directed to the Region that is geographically closest to them2. You can also provide customers with the Global Accelerator IP address, which is anycast from AWS edge locations and does not change when you add or remove endpoints3.

What is AWS Global Accelerator?

Standard accelerator endpoints

AWS Global Accelerator IP addresses

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html

Create an S3 Bucket:

Log in to the AWS Management Console and navigate to Amazon S3.

Create a new S3 bucket that will serve as the destination for the application data.

Deploy AWS Storage Gateway:

Download and deploy the AWS Storage Gateway virtual machine (VM) on your on-premises environment. This VM can be deployed on VMware ESXi, Microsoft Hyper-V, or Linux KVM.

Configure the File Gateway:

Configure the deployed Storage Gateway as a file gateway. This will enable it to present Amazon S3 buckets as SMB file shares to your on-premises applications.

Create a New File Share:

Within the Storage Gateway configuration, create a new file share that is associated with the S3 bucket you created earlier. This file share will use the SMB protocol, allowing your on-premises applications to access the S3 bucket as if it were a local SMB file share.

Copy Data to the File Gateway:

Use your preferred method (such as robocopy, rsync, or similar tools) to copy data from the on-premises storage to the newly created file gateway endpoint. This data will be stored in the S3 bucket, maintaining accessibility through SMB.

Ensure Secure and Efficient Data Transfer:

AWS Storage Gateway ensures that all data in transit is encrypted using TLS, providing secure data transfer to AWS. It also provides local caching for frequently accessed data, improving access performance for on-premises applications.

This approach allows your existing on-premises applications to continue accessing data via SMB while leveraging the scalability and durability of Amazon S3.

References

AWS Storage Gateway Overview【67】.

AWS DataSync and Storage Gateway Hybrid Architecture【66】.

AWS S3 File Gateway Details【68】.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

Create a Network Load Balancer (NLB) and expose the assigned TCP port. Assign the Elastic IP addresses to the NLB for each Availability Zone. Create a target group and register the EC2 instances with the NLB. Create a new A (alias) record set named my.service.com, and assign the NLB DNS name to the record set. As it uses the NLB as the resource in the A-record, traffic will be routed through the NLB, and it will automatically route the traffic to the healthy instances based on the health checks and also it provides the fixed address assignments as the other companies can add the NLB's Elastic IP addresses to their allow lists.

https://aws.amazon.com/about-aws/whats-new/2016/04/transfer-files-into-amazon-s3-up-to-300-percent-faster/

The company should create an Amazon Route 53 Resolver DNS Firewall domain list that contains the allowed domains. The company should configure a DNS Firewall rule group with a rule that has a high numeric value that blocks all requests. The company should configure a rule that has a low numeric value that allows requests for domains in the allowed list. The company should associate the rule group with the VPC. This solution will meet the requirements because Amazon Route 53 Resolver DNS Firewall is a feature that enables you to filter and regulate outbound DNS traffic for your VPC. You can create reusable collections of filtering rules in DNS Firewall rule groups and associate them with your VPCs. You can specify lists of domain names to allow or block, and you can customize theresponses for the DNS queries that you block1. By creating a domain list with the allowed domains and a rule group with rules to allow or block requests based on the domain list, the company can enforce its security policy and control access to sites.

The other options are not correct because:

Configuring a Route 53 outbound endpoint and associating it with the VPC would not help with filtering outbound DNS traffic. A Route 53 outbound endpoint is a resource that enables you to forward DNS queries from your VPC to your networkover AWS Direct Connect or VPN connections2.It does not provide any filtering capabilities.

Creating a Route 53 traffic flow policy to match the allowed domains would not help with filtering outbound DNS traffic. A Route 53 traffic flow policy is a resource that enables you to route traffic based on multiple criteria, such as endpoint health, geographic location, and latency3.It does not provide any filtering capabilities.

Creating a Gateway Load Balancer (GWLB) would not help with filtering outbound DNS traffic. A GWLB is a service that enables you to deploy, scale, and manage third-party virtual appliances such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems in the cloud4.It does not provide any filtering capabilities.

Installing AWS Outposts for the applications that have data regulatory requirements or requirements for latency of single-digit milliseconds will provide a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises1. AWS Outposts allows customers to run some AWS services locally and connect to a broad range of services available in the local AWS Region1. Using AWS Snowball Edge Compute Optimized devices to host the workloads in the factory sites will provide local compute and storage resources for locations with limited network infrastructure2. AWS Snowball Edge devices can run Amazon EC2 instances and AWS Lambda functions locally and sync data with AWS when network connectivity is available2.

Dis correct:Aurora PostgreSQLis afully managed, high-availabilitydatabase engine.

UseAWS DMSto migrate data andAWS Schema Conversion Tool (SCT)to convert stored procedures from Oracle to Aurora-compatible code.

This meets the requirements ofminimal downtime,managed services, andstored procedure support.

Ais not valid—RDS doesn’t allow custom S3 integration for storage.

Binvolves EC2, which violates the “managed services” constraint.

Crequires complete rewrite of the application logic, which contradicts the minimal downtime requirement.

There are three core requirements: reduce/manage active database connections, keep communication private without internet exposure, and scale to many consumer accounts over time.

To manage and pool database connections to an Amazon RDS for PostgreSQL DB instance, the AWS-managed service designed for this purpose is Amazon RDS Proxy. RDS Proxy maintains a pool of database connections and multiplexes application connections onto fewer database connections. This reduces connection overhead on the database, improves resiliency during failovers, and helps control the number of active connections that reach the DB instance.

Next, the connectivity must be private across accounts and scalable as more consumer accounts are added. AWS PrivateLink provides scalable, private connectivity between VPCs and services across accounts without requiring VPC peering, transitive routing, or exposing traffic to the public internet. With PrivateLink, the database account can publish an endpoint service backed by a Network Load Balancer, and consumer accounts create interface endpoints in their VPCs to connect privately to that service. This is operationally scalable because adding new consumer accounts does not require managing a growing mesh of VPC peering relationships or complex route propagation; each consumer adds an interface endpoint.

Option B is the only option that addresses connection management by introducing RDS Proxy and uses PrivateLink to provide private, cross-account, scalable connectivity. The proxy endpoint being in private subnets aligns with the requirement that traffic stays private.

Option A is incorrect because a NAT gateway in a public subnet is used for outbound internet access from private subnets. It is not needed for private cross-account database access and introduces unnecessary public subnet components. Also, NAT gateways do not manage database connections. Transit gateway can provide private connectivity, but it does not address connection pooling, and the NAT gateway component is not appropriate for the stated requirement of avoiding internet exposure.

Option C is incorrect because an Application Load Balancer is not used to proxy raw PostgreSQL database traffic. PostgreSQL uses TCP, and ALB is primarily for HTTP/HTTPS and higher-layer routing. Also, VPC peering to each consumer VPC does not scale well as the number of accounts grows, and it creates operational overhead to manage many peering connections and route tables. It also does not manage DB connections.

Option D is incorrect because it uses VPC peering and NAT gateway. NAT gateway is again not the correct mechanism for private database access and does not provide connection pooling. VPC peering per consumer is not scalable and increases operational overhead.

Therefore, using RDS Proxy to manage connections and AWS PrivateLink (via an NLB-backed endpoint service) to provide private, scalable cross-account access is the correct solution.

B:https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.requests

D:https://aws.amazon.com/blogs/compute/robust-serverless-application-design-with-aws-lambda-dlq/c

CORS errors occur when a web page hosted on one domain tries to make a request to a server hosted on another domain. In this scenario, the registration form hosted on the static website is trying to make a request to the API Gateway API endpoint hosted on a different domain, which is causing the error. To resolve this error, the Access-Control-Allow-Origin header needs to be set to the domain from which the request is being made. In this case, the header is already set to www.example.com on the CloudFront distribution origin. Therefore, the solutions architect should enable the CORS setting on the API Gateway API endpoint and ensure that the API endpoint is configured to return all responses that have the Access-Control-Allow-Origin header set to www.example.com. This will allow the API endpoint to respond to requests from the static website without a CORS error.

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cors-errors/

Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups. This solution meets the requirements with the least amount of operational overhead as it requires the security team to create and maintain a single customer-managed prefix list, and share it with the organization using AWS Resource Access Manager. The owners of each AWS account are then responsible for allowing the prefix list in their security groups, whicheliminates the need for the security team to manually notify each account owner when changes are made. This solution also eliminates the need for a separate AWS Lambda function in each account, reducing the overall complexity of the solution.

For an EC2 instance to appear as a managed instance in AWS Systems Manager, several prerequisites must be met. Two of the most fundamental requirements are that the Systems Manager Agent (SSM Agent) is installed and running on the instance, and that the instance has an IAM role attached that grants the necessary permissions for Systems Manager to communicate with the service.

When importing a VM from an on-premises environment, the resulting AMI might not include the SSM Agent by default, or the agent might not be enabled to start automatically. If the agent is missing or not running, the instance cannot register with Systems Manager, and it will not appear in the Systems Manager console as a managed instance. Therefore, verifying that the SSM Agent is installed and running is a primary troubleshooting step.

Additionally, the EC2 instance must have an IAM instance profile (role) attached that includes the permissions required by Systems Manager. Typically, this is achieved by attaching a role that includes the AmazonSSMManagedInstanceCore managed policy. Without the appropriate IAM role, even a correctly installed and running agent will not be able to register the instance or perform Systems Manager operations.

Option C (VPC endpoint existence) is not required in this scenario because the instance is in a public subnet and has a public IP address. In this case, the instance can communicate with the Systems Manager endpoints over the internet. VPC endpoints are required when instances do not have internet access (for example, in private subnets without NAT or public IPs), which is not the case here.

Option D (Application Discovery Agent) is unrelated. The AWS Application Discovery Agent is used for migration assessment and discovery of on-premises workloads, not for Systems Manager managed instance registration.

Option E (service-linked roles) is generally not a common cause for a single instance failing to appear as managed, especially when other Systems Manager functionality is working in the account. Service-linked roles for Systems Manager are usually created automatically when needed and do not typically prevent an individual instance from registering if the agent and instance role are correctly configured.

Therefore, the correct troubleshooting steps are to verify the presence and operation of the Systems Manager Agent and to ensure the EC2 instance has the correct IAM role attached.

AWS IoT Core’spre-provisioning hookallows custom logic (like serial number validation)beforea device is registered. This ensures that only installed devices connect. Lambda is ideal for such logic.

AWS IoT Just-in-Time Provisioning

Turning on S3 server-side encryption for the S3 bucket that the web application uses will enable encrypting the data at rest using Amazon S3 managed keys (SSE-S3)1. Creating a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses will enable enforcing encryption for all requests to the bucket2. Configuring redirection of HTTP requests to HTTPS requests in CloudFront will enable encrypting the data in transit using SSL/TLS3.

migrating the data processing script to an AWS Lambda function and using an S3 event notification to invoke the Lambda function to process the objects when the company uploads the objects. This solution meets the company's requirements of high availability and scalability, as well as reducing long-term management overhead, and is likely to be the most cost-effective option.

"The AWS WAF API supports security automation such as blacklisting IP addresses thatexceed request limits, which can be useful for mitigating HTTP flood attacks." >https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/

Creating a headless Aurora DB cluster in the secondary Region as part of an Aurora global database ensures continuous, low-latency replication without running active instances in the secondary Region.

This configuration meets the RTO and RPO requirements by allowing rapid promotion of the secondary cluster in a failover scenario.

It also reduces operational costs compared to continuously running standby instances in the secondary Region.

This aligns with AWS best practices for DR and cross-Region resiliency.

Comprehensive and Detailed Explanation From Exact Extract:

B is correct because it implements a fully serverless ingestion-and-streaming design that decouples request intake from processing and delivers real-time updates to clients over WebSockets. The HTTP API provides a serverless front door for REST requests. Sending requests to Amazon SQS buffers bursts and smooths spikes, preventing the backend from being overwhelmed as traffic grows. The SQS → Lambda pattern provides scalable, asynchronous processing. For the “stream data to clients through WebSockets” requirement, AWS AppSync Events (real-time publish/subscribe) allows clients to subscribe over persistent WebSocket connections and receive pushed updates with minimal latency, while producers (the Lambda function) publish events to channels that subscribers receive.

Why the other options are incorrect:

A: AWS Step Functions is an orchestration service for workflows. It does not provide a native mechanism to “set clients as targets” and push data back to arbitrary REST clients over WebSockets.

C: Amazon EventBridge rules can target AWS services (Lambda, SQS, SNS, etc.), but clients are not valid EventBridge targets for direct WebSocket streaming. This does not solve “stream to clients through WebSockets.”

D: CloudFront Functions are for lightweight request/response manipulation at the edge and cannot act as an origin or run complex business logic. Also, writing to an MQTT topic from a CloudFront Function is not a supported pattern. While AWS IoT Core can support MQTT over WebSockets for clients, the proposed CloudFront Function integration is not valid.

The Auto Scaling group can automatically launch and terminate EC2 instances based on the demand and health of the web application. The launch template can specify the configuration of the EC2 instances, such as the AMI, instance type, security group, and user data. The existing ALB can distribute the traffic to the EC2 instances in the Auto Scaling group. The existing EC2 instances can be attached to the Auto Scaling group without deleting them or the ALB. This option minimizes downtime and preserves the current setup of the web application. References: [What is Amazon EC2 Auto Scaling?], [Launch templates], [Attach a load balancer to your Auto Scaling group], [Attach EC2 instances to your Auto Scaling group]

(https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html)

Updating the ingestion process to use Amazon Kinesis Data Firehose to save data to Amazon S3 will reduce the need for EC2 instances and EBS volumes for data storage1. Using AWS Batch with Spot Instances to perform nightly processing will leverage the cost savings of Spot Instances, which are up to 90% cheaper than On-Demand Instances2. AWS Batch will also handle the scheduling and scaling of the processing jobs. Setting the maximum Spot price to 50% of the On-Demand price will reduce the chances of interruption and ensure that the processing is cost-effective.

The IAM policy simulator will generate a policy that contains only the necessary permissions for the application to access Secrets Manager, providing the least privilege necessary to get the job done. This is the most efficient solution as it will not require additional steps such as analyzing CloudTrail events or manually creating and testing an IAM policy.

You can use the IAM policy simulator to generate an IAM policy for an IAM role by specifying the role and the API actions and resources that the application or service requires. The simulator will then generate an IAM policy that grants the least privilege access to those actions and resources.

Once you have generated an IAM policy using the simulator, you can replace the existing SecretsManagerReadWnte policy that is attached to the IAM role with the newly generated policy. This will ensure that the application or service has the least privilege access to the Secrets Manager actions that it requires.

You can access the IAM policy simulator through the IAM console, AWS CLI, and AWS SDKs. Here is the link for more information:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_simulator.html

Creating an AUTH token and storing it in AWS Secrets Manager and configuring the existing cluster to use the AUTH token and configure encryption in transit, and updating the application to retrieve the AUTH token from Secrets Manager when necessary and to use the AUTH token for authentication, would meet the requirements for user authentication and end-to-end encryption.

AWS Secrets Manager is a service that enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Secrets Manager also enables you to encrypt the data and ensure that only authorized users and applications can access it.

By configuring the existing cluster to use the AUTH token and encryption in transit, all data will be encrypted as it is sent over the network, providing additional security for the data stored in ElastiCache.

Additionally, by updating the application to retrieve the AUTH token from Secrets Manager when necessary and to use the AUTH token for authentication, it ensures that only authorized users and applications can access the cache.

The best option is to use Amazon SQS and AWS Lambda to create a serverless order processing application. Amazon SQS is a fully managed message queue service that can decouple the order receiving and processing components, making the application more scalable and fault-tolerant. AWS Lambda is a serverless compute service that can automatically scale to handle the incoming messages from the SQS queue and process them according to the business logic. AWS Lambda can also integrate with Amazon DynamoDB to store the processed orders in a fast and flexible NoSQL database. This approach eliminates the need to provision, manage, or scale any servers or containers, and reduces the operational overhead and cost.

Option A is not reliable because using an EC2-hosted database to receive the orders introduces a single point of failure and a scalability bottleneck. EC2 instances also require more management and configuration than serverless services.

Option C is not reliable because using AWS Step Functions to receive the orders adds unnecessary complexity and cost to the application. AWS Step Functions is a service that coordinates multiple AWS services into a serverless workflow, but it is not designed to handle high-volume, sporadic, or unpredictable traffic patterns. AWS Step Functions also charges per state transition, which can be expensive for a large number of orders. Launching an ECS container to process each order also requires more resources and management than invoking a Lambda function.

Option D is not reliable because using Amazon Kinesis Data Streams to receive the orders is not suitable for this use case. Amazon Kinesis Data Streams is a service that enables real-time processing of streaming data at scale, but it is not meant for asynchronous message queuing. Amazon Kinesis Data Streams requires consumers to poll the data from the stream, which can introduce latency and complexity. Amazon Kinesis Data Streams also charges per shard hour, which can be expensive for a sporadic traffic pattern.

Amazon SQS

AWS Lambda

Amazon DynamoDB

AWS Step Functions

Amazon ECS

https://repost.aws/knowledge-center/ecs-fargate-service-auto-scaling

This solution allows developers to quickly launch resources using pre-approved configurations and instance types, while also ensuring that the resources launched comply with the company's architectural patterns. This can help reduce data transfer and compute costs associated with the resources. Using AWS Service Catalog also allows the company to control access to the approved configurations and resources through the use of IAM roles, while also allowing developers to quickly provision resources without negatively affecting their ability to perform their tasks.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatch.html Elastic Beanstalk automatically uses Amazon CloudWatch to help you monitor your application and environment status. You can navigate to the Amazon CloudWatch console to see your dashboard and get an overview of all of your resources as well as your alarms. You can also choose to view more metrics or add custom metrics.

To enhance application availability and reduce maintenance-induced downtime, sending sensor data to Amazon Kinesis Data Firehose, processing it with an AWS Lambda function, converting it to Apache Parquet format, and storing it in Amazon S3 is an effective strategy. This approach leverages serverless architectures for scalability and reliability. Data analysts can then query the optimized data using Amazon Athena, a serverless interactive query service, which supports complex queries on data stored in S3 without the need for traditional database servers, optimizing operational overhead and costs.

AWS Documentation on AWS IoT Core, Amazon Kinesis Data Firehose, AWS Lambda, Amazon S3, and Amazon Athena provides a comprehensive framework for building a scalable, serverless data processing pipeline. This solution aligns with AWS best practices for processing and analyzing large-scale data streams efficiently.

The company should use AWS Amplify to create a static website for uploads of media files. The company should use Amplify Hosting to serve the website through Amazon CloudFront. The company should use Amazon S3 to store the uploaded media files. The company should use Amazon Cognito to authenticate users. This solution will meet the requirements with the least operational overhead because AWS Amplify is a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as use cases evolve. No cloud expertise needed1. By using AWS Amplify, the company can refactor the application to a serverless architecture that reduces operational complexity and costs. AWS Amplify offers the following features and benefits:

Amplify Studio: A visual interface that enables you to build and deploy a full-stack app quickly, including frontend UI and backend.

Amplify CLI: A local toolchain that enables you to configure and manage an app backend with just a few commands.

Amplify Libraries: Open-source client libraries that enable you to build cloud-powered mobile and web apps.

Amplify UI Components: Open-source design system with cloud-connected components for building feature-rich apps fast.

Amplify Hosting: Fully managed CI/CD and hosting for fast, secure, and reliable static and server-side rendered apps.

By using AWS Amplify to create a static website for uploads of media files, the company can leverage Amplify Studio to visually build a pixel-perfect UI and connect it to a cloud backend in clicks. By using Amplify Hosting to serve the website through Amazon CloudFront, the company can easily deploy its web app or website to the fast, secure, and reliable AWS content delivery network (CDN), with hundreds of points of presence globally. Byusing Amazon S3 to store the uploaded media files, the company can benefit from a highly scalable, durable, and cost-effective object storage service that can handle any amount of data2. By using Amazon Cognito to authenticate users, the company can add user sign-up, sign-in, and access control to its web app with a fully managed service that scales to support millions of users3.

The other options are not correct because:

Using AWS Application Migration Service to migrate the application server to Amazon EC2 instances would not refactor the application or accelerate development. AWS Application Migration Service (AWS MGN) is a service that enables you to migrate physical servers, virtual machines (VMs), or cloud servers from any source infrastructure to AWS without requiring agents or specialized tools. However, this would not address the challenges of overutilization and data uploads failures. It would also not reduce operational overhead or costs compared to a serverless architecture.

Creating a static website for uploads of media files and using AWS AppSync to create an API would not be as simple or fast as using AWS Amplify. AWS AppSync is a service that enables you to create flexible APIs for securely accessing, manipulating, and combining data from one or more data sources. However, this would require more configuration and management than using Amplify Studio and Amplify Hosting. It would also not provide authentication features like Amazon Cognito.

Setting up AWS IAM Identity Center (AWS Single Sign-On) to give users the ability to sign in to the application would not be as suitable as using Amazon Cognito. AWS Single Sign-On (AWS SSO) is a service that enables you to centrally manage SSO access and user permissions across multiple AWS accounts and business applications. However, this service is designed for enterprise customers who need to manage access for employees or partners across multiple resources. It is not intended for authenticating end users of web or mobile apps.

https://aws.amazon.com/solutions/implementations/disaster-recovery-for-aws-iot/

Option Ais the most lightweight and scalable approach. By updating the VPC’sDHCP options set, you automatically configure all EC2 instances to use your on-premises NTP server. No extra software or infrastructure is required.

VPC DHCP Options Docs

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual

Adding an accelerator in AWS Global Accelerator will enable improving the performance of the APIs for local and global users1. AWS Global Accelerator is a service that uses the AWS global network to route traffic to the optimal regional endpoint based on health, client location, and policies1. Configuring the ALB as the origin will enable connecting the accelerator to the ALB that exposes the APIs2. AWS Global Accelerator supports non-standard REST methods such as LINK, UNLINK, LOCK, and UNLOCK3.

This option uses Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type to deploy the application containers. Amazon ECS is a fully managed container orchestration service that allows running Docker containers on AWS at scale. Fargate is a serverless compute engine for containers that eliminates the need to provision or manage servers or clusters. With Fargate, the company only pays for the resources required to run its containers, which reduces costs and operational overhead. This option also uses Amazon Elastic File System (Amazon EFS) for shared storage. Amazon EFS is a fully managed file system that provides scalable, elastic, concurrent, and secure file storage for use with AWS cloud services. Amazon EFS supports NFS version 4 protocol, which is compatible with the application’s requirements. To use Amazon EFS with Fargate containers, the company needs to reference the EFS file system ID, container mount point, and EFS authorization IAM role in the ECS task definition.

The company should download the data from the Amazon Redshift tables to an Amazon S3 bucket periodically and use AWS Data Exchange for S3 to share data with customers. The company should configure subscription verification and require the data customers to subscribe to the data product. This solution will meet the requirements with the least operational overhead because AWS Data Exchange for S3 is a feature that enables data subscribers to access third-party data files directly from data providers’ Amazon S3 buckets. Subscribers can easily use these files for their data analysis with AWS services without needing to create or manage data copies. Data providers can easily set up AWS Data Exchange for S3 on top of their existing S3 buckets to share direct access to an entire S3 bucket or specific prefixes and S3 objects. AWS Data Exchange automatically manages subscriptions, entitlements, billing, and payment1.

The other options are not correct because:

Using AWS Data Exchange for APIs to share data with customers would not work because AWS Data Exchange for APIs is a feature that enables data subscribers to access third-party APIs directly from data providers’ AWS accounts. Subscribers can easily use these APIs for their data analysis with AWS services without needing to manage API keys or tokens. Data providers can easily set up AWS Data Exchangefor APIs on top of their existing API Gateway resources to share direct access to an entire API or specific routes and stages2. However, this feature is not suitable for sharing data from Amazon Redshift tables, which are not exposed as APIs.

Creating an Amazon API Gateway Data API service integration with Amazon Redshift would not work because the Data API is a feature that enables you to query your Amazon Redshift cluster using HTTP requests, without needing a persistent connection or a SQL client3. It is useful for building applications that interact with Amazon Redshift, but not for sharing data files with customers.

Creating an AWS Data Exchange datashare by connecting AWS Data Exchange to the Redshift cluster would not work because AWS Data Exchange does not support datashares for Amazon Redshift clusters. A datashare is a feature that enables you to share live and secure access to your Amazon Redshift data across your accounts or with third parties without copying or moving the underlying data4. It is useful for sharing query results and views with other users, but not for sharing data files with customers.

Publishing the Amazon Redshift data to an Open Data on AWS Data Exchange would not work because Open Data on AWS Data Exchange is a feature that enables you to find and use free and public datasets from AWS customers and partners. It is useful for accessing open and free data, but not for confirming the identities of the customers or charging them for the data.

Create Amazon S3 gateway endpoint in the VPC and add a VPC endpoint policy. This VPC endpoint policy will have a statement that allows S3 access only via access points owned by the organization.

The combination of changes that will meet the requirement with the least operational overhead are:

A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint.Implement a Route 53 multivalue answer routing policy.

B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.

C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region’s replicated secret, select the appropriate KMS key.

These changes will enable the company to have an active-active configuration for its API across multiple Regions, while minimizing the complexity and cost of managing the secrets and keys.

A. This change will allow the company to use Route 53 to distribute traffic across multiple Regional API endpoints, based on the availability and latency of each endpoint.This will improve the performance and availability of the API for global customers12

B. This change will allow the company to use KMS multi-Region keys, which are KMS keys in different Regions that can be used interchangeably.This will simplify the encryption and decryption of secrets across Regions, as the same key material and key ID can be used in any Region34

C. This change will allow the company to use Secrets Manager replication, which replicates the encrypted secret data and metadata across the specified Regions.This will ensure that the secrets are consistent and accessible in any Region, andthat any update made to the primary secret will be propagated to the replica secrets automatically56

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ by Cloudxie says "select appropriate log"

The correct answer is B. This option uses IAM Identity Center to create permission sets that map to the existing IAM roles in each account. This way, the company can leverage the existing policies and roles that are already configured for the expected activities of each group of users in each account. The company also needs to create a customer managed policy that allows the group to assume the roles and attach it to thepermission set. This policy grants the necessary permissions for IAM Identity Center to assume the roles on behalf of the users. Finally, the company can assign user access to the AWS accounts in IAM Identity Center, which will automatically create IAM users and groups in each account based on the permission sets.

Option A is incorrect because it requires creating new policies in each account and giving them the same name. This is not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option C is incorrect because it requires creating new policies in each account and giving them unique names. This is also not necessary and adds complexity and overhead. The company can use the existing IAM roles and policies that are already configured for each account.

Option D is incorrect because it requires adding the OU to the accounts configuration in IAM Identity Center. This is not supported by IAM Identity Center, which only allows adding individual accounts or all accounts in an organization.

The correct answer is B.

B. This solution meets the requirements because it uses AWS Cost Anomaly Detection, which is a feature of AWS Cost Management that uses machine learning to identify and alert on anomalous spend and usage patterns. By configuring a monitor type of AWS Service and applying a filter of Amazon EC2, the solution can track the EC2 usage as a metric across the organization’s accounts.By configuring an alert subscription with a threshold of 10%, the solution can notify the architecture team via email or AmazonSNS if the EC2 usage is more than 10% higher than the average usage for the last 30 days12

A. This solution is incorrect because it uses AWS Budgets, which is a feature of AWS Cost Management that helps to plan and track costs and usage. However, AWS Budgets does not support usage type of EC2 running hours as a budget type. The only supported usage types are Amazon S3 storage, Amazon EC2 RI utilization, and Amazon EC2 RI coverage. Moreover, AWS Budgets does not support setting the budget amount based on the reported average usage from AWS Cost Explorer.The budget amount has to be a fixed or variable value34

C. This solution is incorrect because it uses AWS Trusted Advisor, which is a feature of AWS Premium Support that provides recommendations to follow best practices for cost optimization, security, performance, and fault tolerance. However, AWS Trusted Advisor does not support configuring custom alerts based on EC2 usage or average usage for the last 30 days.The only supported alerts are based on predefined checks and thresholds that are applied to all services and resources in the account56

D. This solution is incorrect because it uses Amazon Detective, which is a service that helps to analyze and visualize security data to investigate potential security issues. However, Amazon Detective does not support configuring EC2 usage anomaly alerts basedon average usage for the last 30 days.The only supported alerts are based on GuardDuty findings and other security-related events that are detected by machine learning models78

Configuring the Aurora MySQL DB cluster to publish slow query and error logs to AmazonCloudWatch Logs will allow the solutions architect to monitor and troubleshoot the database performance by identifying slow or problematic queries1. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Implementing the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for Java will allow the solutions architect to measure and map the end-to-end latency and performance of the web application3. X-Ray traces show how requests travel through the application components, such as web servers, load balancers, microservices, and databases4. X-Ray also provides features such as service maps, annotations, histograms, and error rates to analyze and optimize the application performance.

Installing and configuring an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs will allow the solutions architect to monitor and troubleshoot the web server performance by collecting and storing the Apache access and error logs. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Publishing Aurora MySQL logs to Amazon CloudWatch Logs

Working with log data in CloudWatch Logs

Instrumenting your application with the X-Ray SDK for Java

Tracing requests with AWS X-Ray

[Analyzing application performance with AWS X-Ray]

[Using CloudWatch Logs with your Apache web server]

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

When EC2 instances reach third-party API through internet, their privates IP addresses will be masked by NAT Gateway public IP address.

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-bring-your-own-ip-byoip-for-amazon-vpc/

The company should purchase the same Reserved Instances for an additional 3-year term with All Upfront payment. The company should purchase a 3-year Compute Savings Plan with All Upfront payment in the management account to cover any additional compute costs. This solution will provide the company with the most cost savings because Reserved Instances and Savings Plans are both pricing models that offer significant discounts compared to On-Demand pricing. Reserved Instances are commitments to use a specific instance type and size in a single Region for a one- or three-year term. You can choose between three payment options: No Upfront, Partial Upfront, or All Upfront. The more you pay upfront, the greater the discount1. Savings Plans are flexible pricing models that offer low prices on EC2 instances, Fargate, and Lambda usage, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a one- or three-year term. You can choose between two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans apply to any EC2 instance regardless of Region, instance family, operating system, or tenancy, including those that are part of EMR, ECS, or EKS clusters, or launched by Fargate or Lambda. EC2 Instance Savings Plans apply to a specific instance family within a Region and provide the most savings2. By purchasing the same Reserved Instances for an additional 3-year term with All Upfront payment, the company can lock in the lowest possible price for its EC2 instances that run continuously for 3 years. By purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account, the company can benefit from additional discounts on any other compute usage across its member accounts.

The other options are not correct because:

Purchasing a 1-year Compute Savings Plan with No Upfront payment in each member account would not provide as much cost savings as purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account. A 1-year term offers lower discounts than a 3-year term, and a No Upfront payment option offers lower discounts than an All Upfront payment option. Also, purchasing a Savings Plan in each member account would not allow the company to share the benefits of unused Savings Plan discounts across its organization.

Purchasing a 3-year EC2 Instance Savings Plan with No Upfront payment in the management account to cover EC2 costs in each AWS Region would not provide as much cost savings as purchasing Reserved Instances for an additional 3-year term with All Upfront payment. An EC2 Instance Savings Plan offers lower discounts than Reserved Instances for the same instance family and Region. Also, a No Upfront payment option offers lower discounts than an All Upfront payment option.

Purchasing a 3-year EC2 Instance Savings Plan with All Upfront payment in each member account would not provide as much flexibility or cost savings as purchasing a 3-year Compute Savings Plan with All Upfront payment in the management account. An EC2 Instance Savings Plan applies only to a specific instance family within a Region and does not cover Fargate or Lambda usage. Also, purchasing aSavings Plan in each member account would not allow the company to share the benefits of unused Savings Plan discounts across its organization.

B: Archiving inactive user uploads toGlacier Deep Archiveoffers the lowest storage cost.

E: Since the users are in Europe only, usingPrice Class 200reduces CloudFront delivery cost without affecting performance.

A (expiration) deletes data — not suitable.

C is invalid (App Runner does not support Spot).

D might save little unless read traffic is high.

D is correct because AWS Private CA supports resource sharing through AWS RAM, which allows you to share the CA across accounts in your AWS Organization securely. It ensures the CA private key remains secure and is never exported.

A is invalid because you cannot export a CA’s private key, and importing/exporting CAs this way is unsupported.

B is incorrect — IAM policies alone are not sufficient to share Private CAs across accounts.

C is not applicable because resource-based delegation policies do not apply to AWS Private CA.

The company’s goal is to modernize the application while minimizing operational overhead. The current architecture relies heavily on self-managed EC2 instances for web serving, APIs, search, and relational data storage. This increases operational burden related to patching, scaling, availability, and troubleshooting.

Option B replaces self-managed components with fully managed AWS services that are purpose-built for each workload type. Hosting the static web application on Amazon S3 with Amazon CloudFront removes the need to manage web servers such as NGINX and provides global content delivery with built-in scalability and high availability. Migrating the search data to Amazon OpenSearch Service eliminates the need to manage an EC2-based OpenSearch node, providing a managed search service with built-in scaling, patching, and monitoring. Migrating PostgreSQL to Amazon Aurora PostgreSQL removes the operational overhead of managing database instances on EC2 and provides managed backups, high availability, and performance optimizations. Running APIs on AWS App Runner further reduces operational effort by abstracting infrastructure management, scaling, and deployment, allowing the team to focus on application code.

Option A still requires running and operating containerized databases and search engines, which is not recommended and does not significantly reduce operational overhead compared to EC2-based deployments. Databases and OpenSearch are better consumed as managed services rather than as containers.

Option C introduces Amazon EKS, which adds significant operational complexity. Even with managed node groups, Kubernetes requires cluster management, networking configuration, upgrades, and ongoing operational expertise. This contradicts the requirement for the least operational overhead.

Option D attempts to run databases and OpenSearch on AWS App Runner. App Runner is designed for stateless web services and APIs, not for stateful services such as databases or search engines. This architecture is not aligned with AWS best practices and would introduce reliability and operational challenges.

Therefore, using managed services such as Amazon CloudFront, Amazon S3, Amazon OpenSearch Service, Amazon Aurora PostgreSQL, and AWS App Runner provides the most modern architecture with the least operational overhead.

Amazon SageMaker is a fully managed machine learning service that allows users to build, train, and deploy machine learning models quickly and easily1. Users can export their existing TensorFlow models and store the model artifacts in Amazon S3, a highly scalable and durable object storage service2. Users can then deploy the model to Amazon SageMaker and create an endpoint that can be invoked by the web application to provide recommendations3. This way, the solution can leverage the AI/ML capabilities of Amazon SageMaker without having to rewrite the personalization model.

AWS Elastic Beanstalk is a service that allows users to deploy and manage web applications without worrying about the infrastructure that runs those applications. Users can host their Java application in AWS Elastic Beanstalk and configure it to communicate with the Amazon SageMaker endpoint. This way, the solution can reduce the operational overhead of managing servers, load balancers, scaling, and application health monitoring.

AWS Database Migration Service (AWS DMS) is a service that helps users migrate databases to AWS quickly and securely. Users can use AWS DMS to migrate their SQL Server database to Amazon RDS for SQL Server, a fully managed relational database service that offers high availability, scalability, security, and compatibility. This way, the solution canreduce the operational overhead of managing database servers, backups, patches, and upgrades.

Option A is incorrect because using AWS Server Migration Service (AWS SMS) to migrate the on-premises physical application server and the web application VMs to AWS is not cost-effective or scalable. AWS SMS is a service that helps users migrate on-premises workloads to AWS. However, for this use case, migrating the physical application server and the web application VMs to AWS will not take advantage of the AI/ML capabilities of Amazon SageMaker or the managed services of AWS Elastic Beanstalk and Amazon RDS.

Option C is incorrect because using AWS Application Migration Service to migrate the on-premises personalization model and VMs to Amazon EC2 instances in Auto Scaling groups is not cost-effective or scalable. AWS Application Migration Service is a service that helps users migrate applications from on-premises or other clouds to AWS without making any changes to their applications. However, for this use case, migrating the personalization model and VMs to EC2 instances will not take advantage of the AI/ML capabilities of Amazon SageMaker or the managed services of AWS Elastic Beanstalk and Amazon RDS.

Option D is incorrect because containerizing the personalization model and the Java application and using Amazon Elastic Kubernetes Service (Amazon EKS) managed node groups to deploy them to Amazon EKS is not necessary or cost-effective. Amazon EKS is a service that allows users to run Kubernetes on AWS without needing to install, operate, and maintain their own Kubernetes control plane or nodes. However, for this use case, containerizing and deploying the personalization model and the Java application will not take advantage of the AI/ML capabilities of Amazon SageMaker or the managed services of AWS Elastic Beanstalk. Moreover, using S3 Glacier Deep Archive as a storage class for images will incur a high retrieval fee and latency for accessing them.

Option C is correct because using Auto Scaling groups for the backend services allows the company to scale up or down the number of EC2 instances based on the demand and traffic. This way, the backend services can handle more requests during peak seasons without compromising performance or availability. Using DynamoDB auto scaling allows the company to adjust the provisioned read and write capacity of the table or index automatically based on the actual traffic patterns. This way, the table or index can handle sudden increases or decreases in workload without throttling or overprovisioning1.

Option A is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, increasing the read and write capacity of DynamoDB manually may not be efficient or cost-effective, as it does not account for the variability of the workload. The company may end up paying for unused capacity or experiencing throttling if the workload exceeds the provisioned capacity1.

Option B is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, configuring DynamoDB to use global tables may not be necessary or beneficial for the company, as global tables are mainly used for replicating data across multiple AWS Regions for fast local access and disaster recovery. Global tables do not automatically scale the provisioned capacity of each replica table; they still require manual or auto scaling settings2.

Option D is incorrect because using Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB may introduce additional complexity and latency to the application architecture. Amazon SQS is a message queue service that decouples and coordinates the components of a distributed system. AWS Lambda is a serverless compute service that runs code in response to events. Using these services may require significant development effort to integrate them with the backend services and DynamoDB. Moreover, they may not improve the read performance of DynamoDB, which may also be affected by high traffic3.

Auto Scaling groups

DynamoDB auto scaling

AWS Lambda

DynamoDB global tables

AWS Lambda vs EC2: Comparison of AWS Compute Resources - Simform

Managing throughput capacity automatically with DynamoDB auto scaling - Amazon DynamoDB

AWS Aurora Global Database vs. DynamoDB Global Tables

Amazon Simple Queue Service (SQS)

A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions. The following describe scenarios where you can use a Direct Connect gateway.https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

The correct solution is to use the authenticate-oidc action for the ALB listener rule and configure it with the details of the AWS Directory Service for Microsoft Active Directory directory. This way, the ALB can use OpenID Connect (OIDC) to authenticate users against the directory and grant them access to the intranet web application. The app client in the directory is used to register the ALB as an OIDC client and provide the necessary credentials and endpoints. The callback URL is the URL that the ALB redirects the user to after a successful authentication. This solution does not require any additional services or roles, and it leverages the existing directory accounts for all users.

The other solutions are incorrect because they either use the wrong action for the ALB listener rule, or they involve unnecessary or incompatible services or roles. For example:

Solution B is incorrect because it uses Amazon Cognito user pool, which is a separate user directory service that does not integrate with AWS Directory Service for Microsoft Active Directory. To use this solution, the company would have to migrate or synchronize their users from the directory to the user pool, which is not required by the question. Moreover, the authenticate-cognito action for the ALB listener rule only works with Amazon Cognito user pools, not with federated identity providers (IdPs) that have metadata from the directory.

Solution C is incorrect because it uses IAM as an identity provider (IdP), which is not compatible with AWS Directory Service for Microsoft Active Directory. IAM can only be used as an IdP for web identity federation, which allows users to sign in with social media or other third-party IdPs, not with Active Directory. Moreover, the authenticate-oidc action for the ALB listener rule requires an OIDC IdP, not a SAML 2.0 federation IdP, which is what IAM provides.

Solution D is incorrect because it uses AWS IAM Identity Center (AWS Single Sign-On), which is a service that simplifies the management of SSO access to multiple AWS accounts and business applications. This service is not needed for the scenario in the question, which only involves a single intranet web application. Moreover, the authenticate-cognito action for the ALB listener rule does not work with external IdPs that use SAML, such as AWS IAM Identity Center.

Authenticate users using an Application Load Balancer

What is AWS Directory Service for Microsoft Active Directory?

Using OpenID Connect for user authentication

https://aws.amazon.com/global-accelerator/faqs/

Kinesis Data Streams is a real-time streaming service and provide near-real-time analytics. Also the question "Deliver results of processing to a data warehouse" and this option has redshift cluster which is a powerful data warehousing solution that can handle large-scale analytics workloads.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html

D is correct because this solution modernizes the application into aserverless architectureusing API Gateway and Lambda for scalable microservices.Aurora Serverless v2supports SQL workloads and auto-scales based on demand.AWS SCTallows migration of SQL Server stored procedures to Aurora-compatible formats. This setup ensures cost efficiency, scalability, and minimal manual intervention.

A rehosts but doesn’t refactor into microservices.

B uses MySQL, which might not support the SQL Server-specific stored procedures fully.

C adds unnecessary complexity and loses relational database functionality by using DAX.

Comprehensive and Detailed in Depth Explanation:

A is correct because write throttling on DynamoDB means WCU (write capacity units) are insufficient. Increasing them will reduce the error rate.

D is correct because introducing Kinesis allows for efficient, high-throughput ingestion and batch processing, reducing the number of Lambda invocations and overall load.

A: Use dynamic IAM policies with {aws:PrincipalTag/userName} to enforceprefix-level access control— i.e., bucket/userA/*, bucket/userB/*.

C: Enable CloudTraildata eventsto capture object-level access andquery them withAthena. This is the AWS-recommended way to audit per-user object access.

Incorrect:

B doesn't provide user isolation.

D only capturesmanagement events, not object-level data access.

E is legacy, inefficient, and not structured for per-user auditing.

https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html

- Export an OVF Template

- Create / use an Amazon S3 bucket for storing the exported images. The bucket must be in the Region where you want to import your VMs.

- Create an IAM role named vmimport.

- You'll use AWS CLI to run the import commands.

https://aws.amazon.com/premiumsupport/knowledge-center/import-instances/

To offer services to other companies using AWS without traversing the internet, creating a VPC Endpoint Service hosted behind an Application Load Balancer (ALB) and making it available over AWS Direct Connect (DX) is the most suitable solution. This approach ensures that the service traffic remains within the AWS network, adhering to the requirement that connectivity must not traverse the internet. An ALB is capable of handlingHTTP/HTTPS traffic, making it appropriate for web-based services. Utilizing DX for connectivity between the on-premises data center and AWS further secures and optimizes the network path.

AWS Direct Connect Documentation: Explains how to set up DX for private connectivity between AWS and an on-premises network.

Amazon VPC Endpoint Services (AWS PrivateLink) Documentation: Provides details on creating and configuring endpoint services for private, secure access to services hosted in AWS.

AWS Application Load Balancer Documentation: Offers guidance on configuring ALBs to distribute HTTP/HTTPS traffic efficiently.

The company should create a second target group that is referenced by the ALB. The company should deploy the new logic to EC2 instances in this new target group. The company should update the ALB listener rule to use weighted target groups. The company should configure ALB target group stickiness. This solution will meet the requirements because weighted target groups are a feature that enables you to distribute traffic across multiple target groups using a single listener rule. You can specify a weight for each target group, which determines the percentage of requests that are routed to that target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests1. By creating a second target group and deploying the new logic to EC2 instances in this new target group, the company can have two versions of its business logic running in parallel. By updating the ALB listener rule to use weighted target groups,the company can control how much traffic is sent to each version. By configuring ALB target group stickiness, the company can ensure that a customer uses the same version of the business logic during the testing window. Target group stickiness is a feature that enables you to bind a user’s session to a specific target within a target group for the duration of the session2.

The other options are not correct because:

Creating a second ALB and deploying the new logic to a set of EC2 instances in a new Auto Scaling group would not be as cost-effective or simple as using weighted target groups. A second ALB would incur additional charges and require more configuration and management. Updating the Route 53 record to use weighted routing would not ensure that a customer uses the same version of the business logic during the testing window, as DNS caching could affect how requests are routed.

Creating a new launch configuration for the Auto Scaling group and replacing it on the Auto Scaling group would not allow for gradual traffic shifting between versions. A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. You can specify information such as the AMI ID, instance type, key pair, security groups, and block device mapping for your instances3. However, replacing the launch configuration on an Auto Scaling group would affect all instances in that group, not just 10% of customers.

Creating a second Auto Scaling group and changing the ALB routing algorithm to least outstanding requests (LOR) would not allow for controlled traffic shifting between versions. A second Auto Scaling group would require more configuration and management. The LOR routing algorithm is a feature that enables you to route traffic based on how quickly targets respond to requests. The load balancer selects a target from the target group with the fewest outstanding requests4. However, this algorithm does not take into account customer sessions or weights.

https://docs.aws.amazon.com/filegateway/latest/files3/CreatingAnSMBFileShare.html

https://aws.amazon.com/premiumsupport/knowledge-center/dynamodb-global-table-stream-lambda/?nc1=h_ls

The requirements emphasize minimum downtime, rapid migration, managed database services, high availability, and support for stored procedures. For Oracle-to-AWS migrations with minimal downtime, AWS DMS can replicate ongoing changes from the source database to the target, which reduces cutover downtime. However, a critical constraint is that the database contains stored procedures. If the company moves to a different engine, it must convert schema objects and procedural code.

Option D is the only option that combines an online replication approach (AWS DMS) with a managed, highly available target database (Amazon Aurora PostgreSQL) and explicitly includes schema and stored procedure conversion with AWS SCT. This aligns with a fast migration approach: SCT prepares the converted schema and stored procedures, while DMS performs ongoing replication of data changes until cutover, minimizing downtime. Aurora PostgreSQL is a managed service and supports high availability through multi-AZ architecture and managed failover capabilities within a Region.

Option A is incorrect because Amazon RDS does not use an S3 bucket “as database storage” in the way described. RDS storage is managed by the RDS service, and S3 replication is not the mechanism used to provide database high availability. High availability for RDS is typically achieved through Multi-AZ configurations and/or cluster-based architectures depending on engine. The described storage approach is not a valid managed RDS architecture.

Option B does not meet the managed database requirement because it restores Oracle onto EC2 instances, which is self-managed. It also does not meet minimum downtime because it requires shutting down the on-premises database to avoid new transactions before restoring the backup. This is a longer outage model than an online migration with continuous replication.

Option C is not feasible and would require major redesign. DynamoDB is not a relational database replacement for Oracle stored procedures. DAX is a DynamoDB cache and cannot run stored procedures. The option also incorrectly suggests running stored procedures “in DAX.” This does not meet the “migrate as quickly as possible with minimum downtime” requirement due to extensive refactoring and redesign.

Therefore, migrating to Aurora PostgreSQL using AWS SCT for schema and stored procedure conversion, and AWS DMS for ongoing replication to minimize downtime, is the best fit.

Option A is correct because placing the EC2 instances behind an Application Load Balancer (ALB) and associating an SSL certificate from AWS Certificate Manager (ACM) with the ALB enables encryption in transit between the client and the ALB. Exporting the SSL certificate and installing it on each EC2 instance enables encryption in transit between the ALB and the web server. Configuring the ALB to listen on port 443 and to forward traffic to port 443 on the instances ensures that HTTPS is used for both connections. This solution achieves end-to-end encryption in transit for the web application12

The correct approach involves activating the BusinessUnit cost allocation tag in the management account to ensure costs are tagged consistently across the organization.

The AWS Cost and Usage Report (CUR), delivered to a single Amazon S3 bucket in the management account, consolidates cost and usage data across all member accounts.

Amazon Athena can efficiently query the CUR data directly from S3, while Amazon QuickSight can be used to create interactive dashboards and reports that visualize the cost allocation by business unit.

This solution minimizes complexity, centralizes reporting, and leverages AWS native services for the best cost optimization and insights.

Amazon Connect is a cloud-based contact center service that allows you to set up a virtual call center for your business. It provides an easy-to-use interface for managing customer interactions through voice and chat. Amazon Connect integrates with other AWS services, such as Amazon S3 and Amazon Kinesis, to help you collect, store, and analyze customer data for insights into customer behavior and trends. On the other hand, Amazon Pinpoint is a marketing automation and analytics service that allows you to engage with your customers across different channels, such as email, SMS, push notifications, and voice. It helps you create personalized campaigns based on userbehavior and enables you to track user engagement and retention. While both services allow you to communicate with your customers, they serve different purposes. Amazon Connect is focused on customer support and service, while Amazon Pinpoint is focused on marketing and engagement.

https://aws.amazon.com/about-aws/whats-new/2017/11/aws-lambda-supports-traffic-shifting-and-phased-deployments-with-aws-codedeploy/

Set Up EventBridge Event Bus:

Step 1: Open the Amazon EventBridge console and create a custom event bus. This bus will be used to handle user deletion events.

Step 2: Name the event bus appropriately (e.g.,user-deletion-bus).

Post Events on User Deletion:

Step 1: Modify the central user service to post an event to the custom EventBridge event bus whenever a user is deleted.

Step 2: Ensure the event includes relevant details such as the user ID and any other necessary metadata.

Create EventBridge Rules for Microservices:

Step 1: For each microservice that needs to delete user data, create a new rule in EventBridge that triggers on the user deletion event.

Step 2: Define the event pattern to match the user deletion event. This pattern should include the event details posted by the central user service.

Invoke Microservice Logic:

Step 1: Configure the EventBridge rule to invoke a target, such as an AWS Lambda function, which contains the logic to delete the user data from the microservice's data store.

Step 2: Each microservice should have its Lambda function or equivalent logic to handle the deletion of user data upon receiving the event.

Using Amazon EventBridge ensures a scalable, reliable, and decoupled approach to handle the deletion of user data across multiple microservices. This setup allows each microservice to independently process user deletion events without direct dependencies on other services.

References

AWS EventBridge Documentation

DynamoDB Streams and AWS Lambda Triggers

Implementing the Transactional Outbox Pattern with EventBridge Pipes​(AWS Documentation)​​(Amazon Web Services, Inc.)​​(Amazon Web Services, Inc.)​​(AWS Documentation)​​(AWS Cloud Community)​.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.htmlhttps://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html

https://aws.amazon.com/getting-started/hands-on/move-to-managed/migrate-mongodb-to-documentdb/

Migrating the containers that run the application to AWS Fargate for Amazon Elastic Container Service (Amazon ECS) will meet the requirement of not administering the Docker hosting environment. AWS Fargate is a serverless compute engine that runs containerswithout requiring any infrastructure management3. Creating an Amazon Elastic File System (Amazon EFS) file system and adding a volume to the Fargate task definition to point to the EFS file system will meet the requirement of low-latency storage that will automatically scale throughput to meet increased demand. Amazon EFS is a fully managed file system service that provides shared access to data from multiple containers, supports NFSv4 protocol, and offers consistent performance and high availability4. Amazon EFS also supports automatic scaling of throughput based on the amount of data stored in the file system5.