SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Questions and Answers

Amazon EMR allows the creation of security configurations to specify settings for encrypting data at rest, data in transit, or both. These configurations can be applied to clusters to ensure that data stored in Amazon S3, local disks, and data moving between nodes is encrypted.

By creating and applying an EMR security configuration, the company can ensure that all data processing complies with encryption requirements for sensitive patient data.

The most suitable design change for the company’s application is to request strongly consistent reads for the table. This change will ensure that the requests to the table return the latest data, reflecting the updates from all prior write operations.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB supports two types of read consistency: eventually consistent reads and strongly consistent reads.By default, DynamoDB uses eventually consistent reads, unless users specify otherwise1.

Eventually consistent reads are reads that may not reflect the results of a recently completed write operation. The response might not include the changes because of the latency of propagating the data to all replicas. If users repeat their read request after a short time, the response should return the updated data.Eventually consistent reads are suitable for applications that do not require up-to-date data or can tolerate eventual consistency1.

Strongly consistent reads are reads that return a result that reflects all writes that received a successful response prior to the read. Users can request a strongly consistent read by setting the ConsistentRead parameter to true in their read operations, such as GetItem, Query, or Scan.Strongly consistent reads are suitable for applications that require up-to-date data or cannot tolerate eventual consistency1.

The other options are not correct because they do not address the issue of read consistency or are not relevant for the use case. Adding read replicas to the table is not correct because this option is not supported by DynamoDB. Read replicas are copies of a primary database instance that can serve read-only traffic and improve availability and performance.Read replicas are available for some relational database services, such as Amazon RDS or Amazon Aurora, but not for DynamoDB2. Using a global secondary index (GSI) is not correct because this option is not related to read consistency. A GSI is an index that has a partition key and an optional sort key that are different from those on the base table.A GSI allows users to query the data in different ways, with eventual consistency3. Requesting eventually consistent reads for the table is not correct because this option is already the default behavior of DynamoDB and does not solve the problem of requests not returning the latest data.

The solution that will improve the performance of the data tier is to deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance and modify the game to use Redis. This solution will enable the game to store and retrieve the location data of the players in a fast and scalable way, as Redis is an in-memory data store that supports geospatial data typesand commands. By using ElastiCache for Redis, the game can reduce the load on the RDS for PostgreSQL DB instance, which is not optimized for high-frequency updates and queries of location data. ElastiCache for Redis also supports replication, sharding, and auto scaling to handle the increasing user base of the game.

The other solutions are not as effective as the first one because they either do not improve the performance, do not support geospatial data, or do not leverage caching. Taking a snapshot of the existing DB instance and restoring it with Multi-AZ enabled will not improve the performance of the data tier, as it only provides high availability and durability, but not scalability or low latency. Migrating from Amazon RDS to Amazon OpenSearch Service with OpenSearch Dashboards will not improve the performance of the data tier, as OpenSearch Service is mainly designed for full-text search and analytics, not for real-time location tracking. OpenSearch Service also does not support geospatial data types and commands natively, unlike Redis. Deploying Amazon DynamoDB Accelerator (DAX) in front of the existing DB instance and modifying the game to use DAX will not improve the performance of the data tier, as DAX is only compatible with DynamoDB, not with RDS for PostgreSQL. DAX also does not support geospatial data types and commands.

AWS Compute Optimizerprovides detailed recommendations for optimizingAmazon EBS volumes, including insights into underutilized volumes, inefficient configurations, and potential cost savings. It analyzes usage patterns and provides recommendations based on historical data, making it the ideal tool for this use case.

Option A (Amazon Inspector): Amazon Inspector is for security assessments, not for cost optimization.

Option B (Systems Manager): Systems Manager does not specifically provide EBS optimization recommendations.

Option C (CloudWatch): CloudWatch metrics help monitor usage but do not offer optimization recommendations like Compute Optimizer.

AWS References:

AWS Compute Optimizer

The company wants to reduce end-to-end load time for its global customer base.AWS Global Acceleratorprovides a network optimization service that reduces latency by routing traffic to the nearest AWS edge locations, improving the user experience for globally distributed customers.

AWS Global Accelerator:

Global Acceleratorimproves the performance of your applications by routing traffic through AWS’s global network infrastructure. This reduces the number of hops and latency compared to using the public internet.

By creating astandard acceleratorand configuring the existing NLBs as target endpoints, Global Accelerator ensures that traffic from users around the world is routed to the nearest AWS edge location and then through optimized paths to the NLBs in each region. This significantly improves end-to-end load time for global customers.

Why Not the Other Options?:

Option A (ALBs instead of NLBs): ALBs are designed for HTTP/HTTPS traffic and provide layer 7 features, but they wouldn’t solve the latency issue for a global customer base. The key problem here is latency, and Global Accelerator is specifically designed to address that.

Option B (Route 53 weighted routing): Route 53 can route traffic to different regions, but it doesn’t optimize network performance. It simply balances traffic between endpoints without improving latency.

Option C (Additional NLBs in more regions): This could potentially improve latency but would require setting up infrastructure in multiple regions. Global Accelerator is a simpler and more efficient solution that leverages AWS’s existing global network.

AWS References:

AWS Global Accelerator

By usingAWS Global Acceleratorwith the existing NLBs, the company can optimize global traffic routing and improve the customer experience by minimizing latency. Therefore,Option Dis the correct answer.

When designing a microservice architecture where each microservice interacts with different AWS services, it's essential to follow the principle of least privilege. This means granting each microservice only the permissions it needs to perform its tasks, reducing the risk of unauthorized access or accidental actions.

The recommended approach is to create individualIAM roleswith policies that grant each microservice the specific permissions it requires. Then, these roles should be associated with the EC2 instances that run the corresponding microservice. By doing so, each EC2 instance will assume its specific IAM role, and permissions will be automatically managed by AWS.

IAM roles provide temporary credentials via the instance metadata service, eliminating the need to hard-code credentials in your application code, which enhances security.

AWS References:

IAM Roles for Amazon EC2explains how EC2 instances can use IAM roles to securely access AWS services without managing long-term credentials.

Best Practices for IAMincludes recommendations for implementing the least privilege principle and using IAM roles effectively.

Why the other options are incorrect:

A. Assign an IAM user to each microservice: This requires managing long-term credentials (access keys), which should be avoided. Storing keys in application code is insecure and creates a maintenance burden.

B. Create a single IAM role: This violates the principle of least privilege, as a single role with broad permissions across all services is less secure.

C. Use AWS Organizations: This approach adds unnecessary complexity. Managing permissions at the account level for each microservice is excessive for this use case and doesn't adhere to the principle of least privilege.

Amazon Route 53 Multivalue Answer Routing: This routing policy allows Route 53 to return multiple values, such as IP addresses, in response to DNS queries. This can distribute traffic across multiple resources and includes health checks to ensure traffic is only routed to healthy instances.

Health Checks:

Configure health checks for each Region to monitor the health of the website instances.

Route 53 will only include healthy instances in the DNS responses, ensuring that traffic is not routed to an unhealthy Region.

Load Distribution and Disaster Recovery:

Multivalue answer routing helps balance the load between instances in different Regions.

If instances in one Region become unhealthy, Route 53 will route traffic to the healthy instances in the other Region.

Operational Simplicity: This solution does not require complex configurations or additional resources, making it a simple yet effective way to distribute traffic and ensure high availability.

Amazon S3 Storage Lens:

S3 Storage Lens provides organization-wide visibility into object storage usage and activity trends.

It can generate metrics and insights about your S3 buckets, including versioning status.

Configuration:

Enable S3 Storage Lens at the organization level.

Configure the dashboard to include the versioning status metric.

Identify Non-Versioned Buckets:

Use the S3 Storage Lens dashboard to filter and identify buckets that do not have versioning enabled.

Storage Lens provides detailed insights and reports which can be used to enforce compliance and manage storage effectively.

Operational Efficiency: Using S3 Storage Lens provides a centralized, easy-to-use interface for monitoring bucket configurations across multiple Regions and accounts, reducing the need for custom scripts or manual checks.

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

This solution meets the company's requirements with minimal administrative overhead and ensures security and ease of management.

AWS AppConfig: AWS AppConfig is a service designed to manage application configuration in a secure and validated way. It allows you to deploy configurations safely and quickly without affecting the application's performance or availability.

AWS Secrets Manager: AWS Secrets Manager is specifically designed to manage, retrieve, and rotate credentials for databases and other services. It integrates seamlessly with AWS services like Amazon RDS, making it an ideal solution for securely storing and retrieving database credentials. Secrets Manager also provides automatic rotation of credentials, reducing the operational burden.

Why Not Other Options?:

Option B (AWS Lambda + Parameter Store): While AWS Lambda can be used for managing configurations and AWS Systems Manager Parameter Store can store credentials, this approach involves more manual setup and does not offer the same level of integrated management and security as AppConfig and Secrets Manager.

Option C (Encrypted S3 Configuration File): Storing configuration and credentials in S3 files involves more manual management and security considerations, increasing the administrative overhead.

Option D (AppConfig + RDS for credentials): RDS is not designed for storing application credentials; it's better suited for managing database instances and their configurations.

AWS References:

AWS AppConfig- Describes how to use AWS AppConfig for managing application configurations.

AWS Secrets Manager- Provides details on securely storing and retrieving credentials using AWS Secrets Manager.

AWS Secrets Manager is designed specifically to securely store and manage sensitive information such as database credentials. It integrates seamlessly with AWS services like Lambda and RDS, and it provides automatic credential rotation with minimal operational overhead.

AWS Secrets Manager: By storing the database credentials in Secrets Manager, you ensure that the credentials are securely stored, encrypted, and managed. Secrets Manager provides a built-in mechanism to automatically rotate credentials at regular intervals (e.g., every 30 days), which helps in maintaining security best practices without requiring additional manual intervention.

Lambda Integration: The Lambda function can be easily configured to retrieve the credentials from Secrets Manager using the AWS SDK, ensuring that the credentials are accessed securely at runtime.

Why Not Other Options?:

Option A (Parameter Store with Rotation): While Parameter Store can store parameters securely, Secrets Manager is more tailored for secrets management and automatic rotation, offering more features and less operational overhead.

Option C (Encrypted Lambda environment variable): Storing credentials directly in Lambda environment variables, even when encrypted, requires custom code to manage rotation, which increases operational complexity.

Option D (KMS with automatic rotation): KMS is for managing encryption keys, not for storing and rotating secrets like database credentials. This option would require more custom implementation to manage credentials securely.

AWS References:

AWS Secrets Manager- Detailed documentation on how to store, manage, and rotate secrets using AWS Secrets Manager.

Using Secrets Manager with AWS Lambda- Guidance on integrating Secrets Manager with Lambda for secure credential management.

The most suitable solution for the company’s requirements is to enable Default Host Configuration Management in Systems Manager to manage the EC2 instances. This solution will allow the company to patch the EC2 instances without disrupting the running applications and without manually creating or modifying IAM roles or users.

Default Host Configuration Management is a feature of AWS Systems Manager that enables Systems Manager to manage EC2 instances automatically as managed instances. A managed instance is an EC2 instance that is configured for use with Systems Manager. The benefits of managing instances with Systems Manager include the following:

Connect to EC2 instances securely using Session Manager.

Perform automated patch scans using Patch Manager.

View detailed information about instances using Systems Manager Inventory.

Track and manage instances using Fleet Manager.

Keep SSM Agent up to date automatically.

Default Host Configuration Management makes it possible to manage EC2 instances without having to manually create an IAM instance profile. Instead, Default Host Configuration Management creates and applies a default IAM role to ensure that Systems Manager has permissions to manage all instances in the Region and account where it is activated.If thepermissions provided are not sufficient for the use case, the default IAM role can be modified or replaced with a custom role1.

The other options are not correct because they either have more operational overhead or do not meet the requirements. Creating a new IAM role, attaching the AmazonSSMManagedInstanceCore policy to the new IAM role, and attaching the new IAM role and the existing IAM role to the EC2 instances is not correct because this solution requires manual creation and management of IAM roles, which adds complexity and cost to the solution.The AmazonSSMManagedInstanceCore policy is a managed policy that grants permissions for Systems Manager core functionality2. Creating an IAM user, attaching the AmazonSSMManagedInstanceCore policy to the IAM user, and configuring Systems Manager to use the IAM user to manage the EC2 instances is not correct because this solution requires manual creation and management of IAM users, which adds complexity and cost to the solution.An IAM user is an identity within an AWS account that has specific permissions for a single person or application3. Removing the existing policies from the existing IAM role and adding the AmazonSSMManagedInstanceCore policy to the existing IAM role is not correct because this solution may disrupt the running applications that rely on the existing policies for accessing RDS databases.An IAM role is an identity within an AWS account that has specific permissions for a service or entity4.

Amazon FSx for Lustre: Lustre is a high-performance file system designed for workloads that require fast storage with sustained high throughput and low latency. It integrates with Amazon S3, making it suitable for HPC environments.

Persistent File Systems:

Persistent Storage: Suitable for long-term storage and recurrent use, providing durability and availability.

High Throughput and Low Latency: Persistent Lustre file systems can handle large amounts of data with sub-millisecond latency, meeting the needs of high-performance computing workloads.

Simultaneous Access: FSx for Lustre allows thousands of compute instances to access and process large datasets concurrently, ensuring that the high volume of data is handled efficiently.

Highly Available: FSx for Lustre is designed to provide high availability and is managed by AWS, reducing the operational burden.

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

AWSService Catalogis designed to allow organizations to manage a catalog of approved products (including AMIs) that users can deploy. By creating a portfolio that contains only EC2 instances launched with preapproved AMIs, the company can enforce compliance with the approved operating system and software for all EC2 instances. Service Catalog also streamlines the process of launching EC2 instances, reducing the lead time while ensuring that developers use only the approved configurations.

Option B (EC2 Image Builder): While EC2 Image Builder helps in creating and managing AMIs, it doesn't provide the enforcement mechanism that Service Catalog does.

Option C (EventBridge rule and Systems Manager script): This solution is reactive and involves more operational complexity compared to Service Catalog.

Option D (AWS Config rule): This option is reactive (it terminates non-compliant instances after launch) and introduces additional operational overhead.

AWS References:

AWS Service Catalog

S3 One Zone-IA:

Suitable for infrequently accessed data that doesn't require multiple Availability Zone resilience.

Cost-effective for storing user-uploaded images that are only used for AI model training twice a year.

S3 Standard:

Ideal for frequently accessed data with high durability and availability.

Store premium user-generated AI images here to ensure they are readily available for download at any time.

S3 Standard-IA:

Cost-effective storage for data that is accessed less frequently but still requires rapid retrieval.

Store non-premium user-generated AI images here, as these images are only downloaded once every 6 hours, making it a good balance between cost and accessibility.

Cost-Effectiveness: This solution optimizes storage costs by categorizing data based on access patterns and durability requirements, ensuring that each type of data is stored in the most cost-effective manner.

AWS Service Catalogallows organizations to centrally manage commonly deployed IT services and offers self-service deployment capabilities to customers. By creatingService Catalog products, the consulting company can package their solutions and tools for easy reuse by customers while maintaining central control over configuration and access. This provides a standardized and automated solution with the least operational overhead for managing and deploying solutions across different customers.

Option A (CloudFormation): CloudFormation templates are useful but don't provide the same level of management and user-friendly self-service capabilities as Service Catalog.

Option C (Systems Manager): Systems Manager is more focused on managing infrastructure and doesn't offer the same self-service capabilities.

Option D (AWS Config): AWS Config is used for tracking resource configurations, not for deploying solutions.

AWS References:

AWS Service Catalog

Option Ais the most automated and cost-efficient solution for exporting data to S3 for analytics.

Option Binvolves manual setup of Streams to S3.

Options C and Dintroduce complexity with EMR.

For processing thousands of images and generating large files while minimizing manual tasks and operational overhead, usingAWS Batchis the best solution. AWS Batch allows you to run large-scale, parallel, and managed batch computing jobs without needing to manage the underlying infrastructure.

AWS Batch: Automates the image processing jobs, dynamically allocating the necessary resources based on the job requirements, which reduces operational overhead.

AWS Step Functions: Orchestrates the entire image processing workflow, ensuring that tasks are executed in the correct sequence, improving manageability.

Amazon S3: Stores the processed files, providing scalable and cost-effective storage.

Option A (ECS with EC2 Spot Instances): While cost-effective, managing ECS and Spot Instances involves more operational effort.

Option C (Lambda with EC2 Spot): Lambda functions have size and duration limitations, making them less suited for large image processing tasks.

Option D (EC2 with Step Functions): Managing EC2 instances involves more overhead than using AWS Batch.

AWS References:

AWS Batch

AWS Step Functions

A. Aurora MySQL:Handles OLTP workloads efficiently with built-in replication and auto-scaling capabilities.

B. EC2 with MySQL:Requires heavy manual maintenance and does not scale seamlessly.

C. RDS for MySQL:Limited in auto-scaling compared to Aurora.

D. Redshift:Primarily for OLAP, not suitable for OLTP workloads.

DynamoDB Global Tablesprovide a fully managed, multi-region, and multi-master database solution that allows you to deploy DynamoDB tables in multiple AWS Regions. This ensures high availability and resiliency across different geographical locations, providing a seamlessgaming experience for users. Usingprovisioned capacity modewithauto-scalingensures cost-efficiency by scaling up or down based on actual demand.

Option A: While on-demand capacity mode is flexible, provisioned capacity with auto-scaling is more cost-effective for predictable workloads.

Option B (DAX): DAX improves read performance, but it doesn't provide the multi-region replication needed for high availability and resiliency.

Option C: DynamoDB Streams with manual cross-region replication adds more complexity and operational overhead compared to Global Tables.

AWS References:

DynamoDB Global Tables

Setting the RDS backup retention policy to 30 days forautomated backupsthrough AWS Backup allows the company to retain backups cost-effectively. Manual backups, however, are notautomatically managed by RDS's retention policy, so they need to be manually deleted if they are older than 30 days to avoid unnecessary storage costs.

Key AWS features:

Automated Backups: Can be configured with a retention policy of up to 35 days, ensuring that older automated backups are deleted automatically.

Manual Backups: These are not subject to the automated retention policy and must be manually managed to avoid extra costs.

AWS Documentation: AWS recommends using backup retention policies for automated backups while manually managing manual backups​.

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed "green" environment with the upgraded database version. You can test the new version in the green environment while the "blue" environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

Amazon QLDB is the most cost-effective and suitable service for maintainingimmutable, cryptographically verifiable logsof data changes. QLDB provides a fully managed ledgerdatabase with a built-in cryptographic hash chain, making it ideal for recording changes to accounting records, ensuring data integrity and security.

QLDB reduces operational overhead by offering fully managed services, so there’s no need for server management, and it’s built specifically to ensure immutability and verifiability, making it the best fit for the given requirements.

Option A (Redshift): Redshift is designed for analytics and not for immutable, cryptographically verifiable logs.

Option B (Neptune): Neptune is a graph database, which is not suitable for this use case.

Option C (Timestream): Timestream is a time series database optimized for time-stamped data, but it does not provide immutable or cryptographically verifiable logs.

AWS References:

Amazon QLDB

How QLDB Works

To process each form exactly once and ensure no data is lost, using an Amazon SQS FIFO (First-In-First-Out) queue is the most appropriate solution. SQS FIFO queues guarantee that messages are processed in the exact order they are sent and ensure that each message is processed exactly once. This ensures data consistency and reliability, both of which are crucial for processing user-submitted forms without data loss.

SQS acts as a buffer between the web application server and the worker tier, ensuring that submitted forms are stored reliably and forwarded to the worker tier for processing. This also decouples the application, improving its scalability and resilience.

Option B (API Gateway): API Gateway is better suited for API management rather than acting as a message queue for form processing.

Option C (SQS Standard Queue): While SQS Standard queues offer high throughput, they do not guarantee exactly-once processing or the strict ordering needed for this use case.

Option D (Step Functions): Step Functions are useful for orchestrating workflows but add unnecessary complexity for simple message queuing and form processing.

AWS References:

Amazon SQS FIFO Queues

Decoupling Application Tiers Using Amazon SQS

The issue in this case is related to the processing tier, where EC2 instances are overwhelmed at peak times, causing delays.Option D, using anAmazon EC2 Auto Scaling target tracking policybased on theApproximateNumberOfMessagesin the SQS queue, is the best solution.

Auto Scaling with Target Tracking:

Target tracking policiesdynamically scale out or in based on a specific metric. For this use case, you can monitor theApproximateNumberOfMessagesin the SQS queue. When the number of messages (orders) in the queue increases, the Auto Scaling group will scale out more EC2 instances to handle the additional load, ensuring that the queue doesn’t build up and cause delays.

This solution is ideal for handling variable and unpredictable peak times, as Auto Scaling can automatically adjust based on real-time load rather than scheduled times.

Why Not the Other Options?:

Option A (Scheduled Scaling): Scheduled scaling works well for predictable peak times, but this company experiencesunpredictable peak usage, making scheduled scaling less effective.

Option B (ElastiCache for Redis): Adding a caching layer would help if DynamoDB were the bottleneck, but in this case, the issue is CPU overload on EC2 instances in the processing tier.

Option C (CloudFront): CloudFront would help cache static content from the web tier, but it wouldn’t resolve the issue of the processing tier’s overloaded EC2 instances.

AWS References:

Amazon EC2 Auto Scaling Target Tracking

Amazon SQS ApproximateNumberOfMessages

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

https://aws.amazon.com/pt/blogs/aws/amazon-cloudfront-support-for-custom-origins/

You can now create a CloudFront distribution using a custom origin. Each distribution will can point to an S3 or to a custom origin. This could be another storage service, or it could be something more interesting and more dynamic, such as an EC2 instance or even an Elastic Load Balancer

Storage Gateway Volume Gateway (Cached Volumes): This configuration allows you to store your primary data in Amazon S3 while retaining frequently accessed data locally in a cache for low-latency access.

Low-Latency Access: Frequently accessed data is cached locally on-premises, providing low-latency access while the less frequently accessed data is stored cost-effectively in Amazon S3.

Implementation:

Deploy a Storage Gateway appliance on-premises or in a virtual environment.

Configure it as a volume gateway with cached volumes.

Create volumes and configure your applications to use these volumes.

Minimal Infrastructure Changes: This solution integrates seamlessly with existing on-premises infrastructure, requiring minimal changes and reducing dependency on on-premises storage servers.

The company is looking for a solution that provides single sign-on (SSO) across multiple AWS accounts while continuing to manage users and groups in their on-premises Active Directory (AD). AWS IAM Identity Center (formerly AWS SSO) is the recommended solution for this type of requirement.

AWS IAM Identity Centerprovides a centralized identity management solution, enabling single sign-on across multiple AWS accounts and other cloud applications. It can integrate with on-premises Active Directory to leverage existing users and groups.

By configuring a two-way forest trust relationship between AWS Directory Service for Microsoft Active Directory and the company's on-premises Active Directory, users can be authenticated by their on-premises AD and still access AWS resources through IAM Identity Center. This solution allows centralized management of AWS accounts within AWS Organizations.

The two-way trust allows mutual access between the on-premises AD and the AWS Directory Service. This means that users and groups in the on-premises AD can be used for authentication in AWS IAM Identity Center while maintaining the existing identity management system.

AWS References:

AWS IAM Identity Center Documentation

AWS Directory Service for Microsoft Active Directory Trust Relationships

AWS Directory Service Integration with IAM Identity Center

Why the other options are incorrect:

A. Create an Enterprise Edition Active Directory in AWS Directory Service: This would require setting up a new directory and managing it in AWS, which adds unnecessary overhead. The requirement is to continue using the existing on-premises AD, making this option unsuitable.

C. Use AWS Directory Service and create a two-way trust relationship: While this approach establishes a trust between on-premises AD and AWS Directory Service, it does not address the single sign-on (SSO) requirements across multiple AWS accounts through IAM Identity Center.

D. Deploy an identity provider (IdP) on Amazon EC2: This is more complex than necessary and introduces more management overhead. AWS IAM Identity Center natively supports integration with on-premises Active Directory without requiring a custom IdP.

Cluster Placement Group: This type of placement group is designed to provide low-latency network performance and high throughput by grouping instances within a single Availability Zone. It is ideal for applications that require tightly coupled node-to-node communication.

Configuration:

When launching EC2 instances, specify the option to launch them in a cluster placement group.

This ensures that the instances are physically located close to each other, reducing latency and increasing network throughput.

Benefits:

Low-Latency Communication: Instances in a cluster placement group benefit from enhanced networking capabilities, enabling low-latency communication.

High Network Throughput: The network performance within a cluster placement group is optimized for high throughput, which is essential for HPC workloads.

Amazon Neptune: Neptune is a fully managed graph database service that is optimized for storing and querying highly connected data. It supports both property graph and RDF graph models, making it suitable for applications that need to analyze relationships between data entities.

Neptune Streams: Neptune Streams captures changes to the graph and streams these changes to other AWS services. This is useful for applications that need to monitor and respond to changes in real-time, such as providing recommendations based on user interactions and relationships.

Least Operational Overhead: Using Neptune Streams directly with Amazon Neptune ensures that the solution is tightly integrated, reducing the need for additional components and minimizing operational overhead. This integration simplifies the architecture by eliminating the need for a separate service like Kinesis for change processing.

This solution meets the following requirements:

It is operationally efficient, as it only requires one activation of the cost allocation tag and one creation of the cost report from the management account, which has access to all the member accounts’ data and billing preferences.

It is consistent, as it uses the AWS-defined cost allocation tag named department, which is automatically applied to resources when the company creates tags using the tagging policy enforced by AWS Organizations. This ensures that the tag name and value are the same across all the resources and accounts, and avoids any discrepancies or errors that might arise from user-defined tags.

It is informative, as it creates one cost report in Cost Explorer grouping by the tag name, and filters by EC2. This allows the accounting team to see the breakdown of EC2 consumption and costs by department, regardless of the AWS account. The team can also use other features of Cost Explorer, such as charts, filters, and forecasts, to analyze and optimize the spending.

The company wants to improve the availability and performance of the application, as well as protect it against common web exploits. The company also needs static IP addresses for the application. To meet these requirements, a solutions architect should recommend the following solution:

Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. NLBs are designed to handle millions of requests per second while maintaining high throughput at ultra-low latency. NLBs also support static IP addresses for each Availability Zone, which can be useful for whitelisting or firewalling purposes.

Deploy AWS WAF on the NLBs. AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect availability, security, or performance. AWS WAF lets you define customizable web security rules that control which traffic to allow or block to your web applications.

Create an accelerator using AWS Global Accelerator and register the NLBs as endpoints. AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. It provides static IP addresses that act as a fixed entry point to your application endpoints in any AWS Region. It uses the AWS global network to optimize the path from your users to your applications, improving the performance of your TCP and UDP traffic.

This solution will provide high availability across Availability Zones and Regions, improve performance by routing traffic over the AWS global network, protect the application from common web attacks, and provide static IP addresses for the application.

Amazon Cognito user pools provide a secure and scalable user directory for user authentication and management. User pools support various authentication methods, such as username and password, email and password, phone number and password, and social identity providers. User pools also support multi-factor authentication (MFA), which adds an extra layer of security by requiring users to provide a verification code or a biometric factor in addition to their credentials. User pools can also enable risk-based adaptive authentication, which dynamically adjusts the authentication challenge based on the risk level of the sign-in attempt. For example, if a user tries to sign in from an unfamiliar device or location, the user pool can require a stronger authentication factor, such as SMS or email verification code. This feature helps to protect user accounts from unauthorized access and reduce the friction for legitimate users. User pools can scale up to millions of users and integrate with other AWS services, such as Amazon SNS, Amazon SES, AWS Lambda, and AWS KMS.

Amazon Cognito identity pools provide a way to federate identities from multiple identity providers, such as user pools, social identity providers, and corporate identity providers. Identity pools allow users to access AWS resources with temporary, limited-privilege credentials. Identity pools do not provide user authentication or management features, such as MFA or adaptive authentication. Therefore, option B is not correct.

AWS Identity and Access Management (IAM) is a service that helps to manage access to AWS resources. IAM users are entities that represent people or applications that need to interact with AWS. IAM users can be authenticated with a password or an access key. IAM users can also enable MFA for their own accounts, by using the AllowManageOwnUserMFA action in an IAM policy. However, IAM users are not suitable for user authentication for web or mobile applications, as they are intended for administrative purposes. IAM users also do not support adaptive authentication based on risk factors. Therefore, option C is not correct.

AWS IAM Identity Center (AWS Single Sign-On) is a service that enables users to sign in to multiple AWS accounts and applications with a single set of credentials. AWS SSO supports various identity sources, such as AWS SSO directory, AWS Managed Microsoft AD, and external identity providers. AWS SSO also supports MFA for user authentication, which can be configured in the permission sets that define the level of access for each user. However, AWSSSO does not support adaptive authentication based on risk factors. Therefore, option D is not correct.

The solution that will meet the requirements is to create Amazon Kinesis data streams for data ingestion, create Amazon Kinesis Data Firehose delivery streams to consume the Kinesis data streams, and specify the S3 bucket as the destination of the delivery streams. This solution will allow the company’s application to ingest real-time data from third-party applications and place the ingested raw data in an S3 bucket. Amazon Kinesis data streams are scalable and durable streams that can capture and store data from hundreds of thousands of sources. Amazon Kinesis Data Firehose is a fully managed service that can deliver streaming data to destinations such as S3, Amazon Redshift, Amazon OpenSearch Service, and Splunk. Amazon Kinesis Data Firehose can also transform and compress the data before delivering it to S3.

The other solutions are not as effective as the first one because they either do not support real-time data ingestion, do not work with third-party applications, or do not use S3 as the destination. Creating database migration tasks in AWS Database Migration Service (AWS DMS) will not support real-time data ingestion, as AWS DMS is mainly designed for migrating relational databases, not streaming data. AWS DMS also requires replication instances, source endpoints, and target endpoints to be compatible with specific database engines and versions. Creating and configuring AWS DataSync agents on the EC2 instances will not work with third-party applications, as AWS DataSync is a service that transfers data between on-premises storage systems and AWS storage services, not between applications. AWS DataSync also requires installing agents on the source or destination servers. Creating an AWS Direct Connect connection to the application for data ingestion will not use S3 as the destination, as AWS Direct Connect is a service that establishes a dedicated network connection between on-premises andAWS, not between applications and storage services. AWS Direct Connect also requires a physical connection to an AWS Direct Connect location.

These two solutions will optimize the HPC environment for networking and storage. Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance, scalable storage for compute workloads. It is built on the world’s most popular high-performance file system, Lustre, which is designed for applications that require fast storage, such as HPC and machine learning. By configuring the file system with scratch storage, you can achieve sub-millisecond latencies, up to hundreds of GBs/s of throughput, and millions of IOPS. Scratch file systems are ideal for temporary storage and shorter-term processing of data. Data is not replicated and does not persist if a file server fails. For more information, see Amazon FSx for Lustre.

Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables customers to run applications requiring high levels of inter-node communications at scale on AWS. Its custom-built operating system (OS) bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling HPC and machine learning applications. EFA provides a low-latency, low-jitter channel for inter-instance communications, enabling your tightly-coupled HPC or distributed machine learning applications to scale to thousands of cores. EFA uses libfabric interface and libfabric APIs for communications, which are supported by most HPC programming models. For more information, see Elastic Fabric Adapter.

The other solutions are not suitable for optimizing the HPC environment for networking and storage. AWS Global Accelerator is a networking service that helps you improve the availability, performance, and security of your public applications by using the AWS global network. It provides two global static public IPs, deterministic routing, fast failover, and TCP termination at the edge for your application endpoints. However, it does not support OS-bypass capabilities or high-performance file systems that are required for HPC and machine learning applications. For more information, see AWS Global Accelerator.

Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS services such as Amazon S3, Amazon EC2, AWS Elemental Media Services, AWS Shield, AWS WAF, and AWS Lambda@Edge. However, CloudFront is not designed for HPC and machine learning applications that require high levels of inter-node communications and fast storage. For more information, see [Amazon CloudFront].

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. However, Elastic Beanstalk is not optimized for HPC and machine learning applications that require OS-bypass capabilities and high-performance file systems. For more information, see [AWS Elastic Beanstalk].

These options are the most suitable ways to design a shared storage solution for a web application that is deployed across multiple Availability Zones and requires strong consistency. Option B uses Amazon Elastic File System (Amazon EFS) as a shared file system that can be mounted on multiple EC2 instances in different Availability Zones. Amazon EFS provides high availability, durability, scalability, and performance for file-based workloads. It also supports strong consistency, which means that any changes made to the file system are immediately visible to all clients. Option E uses Amazon S3 as a shared object store that can store the web content and serve it through Amazon CloudFront, a content delivery network (CDN). Amazon S3 provides high availability, durability, scalability, and performance for object-based workloads. It also supports strong consistency for read-after-write and list operations, which means that any changes made to the objects are immediately visible to all clients. By setting the metadata for the Cache-Control header to no-cache, the web content can be prevented from being cached by the browsers or the CDN edge locations, ensuring that the latest content is always delivered to the users.

Option A is not suitable because using AWS Storage Gateway Volume Gateway as a shared storage solution for a web application is not efficient or scalable. AWS Storage Gateway Volume Gateway is a hybrid cloud storage service that provides block storage volumes that can be mounted on-premises or on EC2 instances as iSCSI devices. It is useful for migrating or backing up data to AWS, but it is not designed for serving web content or providing strong consistency. Moreover, using Volume Gateway would incur additional costs and complexity, and it would not leverage the native AWS storage services.

Option C is not suitable because creating a shared Amazon EBS volume and mounting it on multiple EC2 instances is not possible or reliable. Amazon EBS is a block storage service that provides persistent and high-performance volumes for EC2 instances. However, EBS volumescan only be attached to one EC2 instance at a time, and they are constrained to a single Availability Zone. Therefore, creating a shared EBS volume for a web application that is deployed across multiple Availability Zones is not feasible. Moreover, EBS volumes do not support strong consistency, which means that any changes made to the volume may not be immediately visible to other clients.

Option D is not suitable because using AWS DataSync to perform continuous synchronization of data between EC2 hosts in the Auto Scaling group is not efficient or scalable. AWS DataSync is a data transfer service that helps you move large amounts of data to and from AWS storage services. It is useful for migrating or archiving data, but it is not designed for serving web content or providing strong consistency. Moreover, using DataSync would incur additional costs and complexity, and it would not leverage the native AWS storage services. References:

What Is Amazon Elastic File System?

What Is Amazon Simple Storage Service?

What Is Amazon CloudFront?

What Is AWS Storage Gateway?

What Is Amazon Elastic Block Store?

What Is AWS DataSync?

By placing the JSON documents in an S3 bucket, the documents will be stored in a highly durable and scalable object storage service. The use of AWS Lambda allows the company to run their Python code to process the documents as they arrive in the S3 bucket without having to worry about the underlying infrastructure. This also allows for horizontal scalability, as AWS Lambda will automatically scale the number of instances of the function based on the incoming rate of requests. The results can be stored in an Amazon Aurora DB cluster, which is a fully-managed, high-performance database service that is compatible with MySQL and PostgreSQL. This will provide the necessary durability and scalability for the results of the processing.

https://aws.amazon.com/rds/aurora/

Edge-optimized API endpointsroute requests through CloudFront, reducing latency for global users.

Option Acorrectly implements edge-optimization, caching, and compression to minimize latency.

Options B and Ddo not use edge optimization, leading to higher latency for global users.

Reserved concurrency inOptions C and Dimproves backend scaling but does not address global latency directly.

Amazon Athenais a serverless query service that allows you to run SQL queries directly on data stored in Amazon S3 without the need for a data warehouse. It is cost-effective because you only pay for the queries you run, and it can handleApache Parquetfiles efficiently. Additionally, Athena integrates with KMS, making it suitable for querying encrypted data.

Key AWS features:

Cost-Effective: Athena charges only for the data scanned by the queries, making it a more cost-effective solution compared to Redshift or EMR for occasional queries.

Direct S3 Querying: Athena supports querying data directly in S3, including Parquet files, without needing to move the data.

AWS Documentation: Athena's compatibility with encrypted Parquet files in S3 makes it the ideal choice for this scenario, reducing both cost and complexity​​.

This answer is correct because it meets the requirements of moving the data efficiently and without disruption, and still being able to access and update the data during the transfer window. AWS DataSync is an online data movement and discovery service that simplifies and accelerates data migrations to AWS and helps you move data quickly and securely between on-premises storage, edge locations, other clouds, and AWS Storage. You can create an AWS DataSync agent in the corporate data center to connect your NAS system to AWS over the Direct Connect connection. You can create a data transfer task to specify the source location, destination location, and options for transferring the data. You can start the transfer to an Amazon S3 bucketand monitor the progress of the task. DataSync automatically encrypts data in transit and verifies data integrity during transfer. DataSync also supports incremental transfers, which means that only files that have changed since the last transfer are copied. This way, you can ensure that your data is synchronized between your NAS system and S3 bucket, and you can access and update the data during the transfer window.

Option B: FSx for Lustre is designed for HPC workloads with high IOPS.

Option E: A cluster placement group ensures low-latency networking for HPC analytics workloads.

Option A: Amazon EFS is not optimized for HPC.

Option D: Mountpoint for S3 does not meet high IOPS needs.

https://aws.amazon.com/premiumsupport/knowledge-center/multivalue-versus-simple-policies/

This solution allows for secure and least-privilege access with minimal operational overhead.

IAM Identity Center: AWS IAM Identity Center (formerly AWS SSO) enables you to centrally manage access to multiple AWS accounts and applications. By using IAM Identity Center, you can assign permission sets that define what users or groups can access, ensuring that only necessary permissions are granted.

Permission Sets: Permission sets in IAM Identity Center allow you to define granular access controls for specific services, such as Amazon RDS and S3. You can tailor these permissions to meet the needs of different teams, adhering to the principle of least privilege.

Group Management: By assigning users to groups and associating those groups with specific permission sets, you reduce the complexity and overhead of managing individual IAM roles and policies. This method also simplifies compliance and audit processes.

Why Not Other Options?:

Option A (IAM roles): While IAM roles can provide least-privilege access, managing multiple roles and policies across teams increases operational overhead compared to using IAM Identity Center.

Option C (Individual IAM users): Managing individual IAM users and roles can be cumbersome and does not scale well compared to group-based management in IAM Identity Center.

Option D (AWS Organizations with cross-account roles): Creating separate accounts and cross-account roles adds unnecessary complexity and overhead for this use case, where IAM Identity Center provides a more straightforward solution.

AWS References:

AWS IAM Identity Center- Overview and best practices for using IAM Identity Center.

Managing Access Permissions Using IAM Identity Center- Guide on creating and managing permission sets for secure access.

The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.

Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.

Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.

Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.

AWS References:

Amazon S3 for Media Storage

AWS Glue Crawler: AWS Glue is a fully managed ETL (Extract, Transform, Load) service that makes it easy to prepare and load data for analytics. A Glue crawler can automatically discover new data and schema in Amazon S3, making it easy to keep the data catalog up-to-date.

Crawling the Data:

Set up an AWS Glue crawler to scan the S3 bucket containing the clickstream data.

The crawler will automatically detect the schema and create/update the tables in the AWS Glue Data Catalog.

Amazon Athena:

Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Once the data catalog is updated by the Glue crawler, use Athena to query the clickstream data directly in S3.

Operational Efficiency: This solution leverages fully managed services, reducing operational overhead. Glue crawlers automate data cataloging, and Athena provides a serverless, pay-per-query model for quick data analysis without the need to set up or manage infrastructure.

Versioning is a feature of Amazon S3 that allows users to keep multiple versions of the same object in a bucket. It can help prevent accidental deletion of the documents and ensure that all versions of the documents areavailable1. MFA Delete is a feature of Amazon S3 that adds an extra layer of security by requiring two forms of authentication to delete a version or change the versioning state of a bucket. It can help preventunauthorized or accidental deletion of the documents2. By enabling both versioning and MFA Delete on the bucket, the solution can meet the requirements.

A. Enable a read-only bucket ACL. This solution will not meet the requirement of allowing users to download, modify, and upload documents, as a read-only bucket ACL will prevent write access to the bucket3.

C. Attach an IAM policy to the bucket. This solution will not meet the requirement of preventing accidental deletion of the documents and ensuring that all versions of the documents are available, as an IAM policy is used to grant or deny permissions to users or roles, not to enable versioning or MFA Delete4.

E. Encrypt the bucket using AWS KMS. This solution will not meet the requirement of preventing accidental deletion of the documents and ensuring that all versions of the documents are available, as encrypting the bucket using AWS KMS is a method of protecting data at rest, not enabling versioning or MFA Delete.

Reference URL: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html

To ingest, transform, and query real-time streaming data from multiple sources, Amazon Kinesis and Amazon MSK are suitable solutions. Amazon Kinesis Data Streams can stream the data from various sources and integrate with other AWS services. Amazon Kinesis Data Analytics can transform the data using SQL or Apache Flink. Amazon Kinesis Data Firehose can write the data to Amazon S3 or other destinations. Amazon Athena can query the transformed data from Amazon S3 using standard SQL. Amazon MSK can stream the data using Apache Kafka, which is a popular open-source platform for streaming data. AWS Glue can transform the data using Apache Spark or Python scripts and write the data to Amazon S3 or other destinations. Amazon Athena can also query the transformed data from Amazon S3 using standard SQL.

AWS Global Accelerator: This service provides a global fixed entry point to your applications and optimizes the path to your application through the AWS global network, reducing latency and improving performance.

Accelerated TCP Connections:

Global Accelerator uses the AWS global network to route traffic to the nearest edge location, improving the performance and reliability of your live streams.

It provides static IP addresses that act as a fixed entry point to your application, simplifying DNS management.

High-Quality Streams:

By leveraging Global Accelerator, reporters can send live streams with the highest quality and low latency.

This service automatically reroutes traffic to the nearest available AWS Region, ensuring consistent performance even during traffic spikes or failures.

Operational Efficiency: Using Global Accelerator simplifies the network setup and provides an optimized path for live streams without the need for complex configurations, making it an efficient solution for real-time streaming applications.

it allows the company to monitor costs and notify responsible stakeholders in the event of unusual spending. By creating an AWS Cost Anomaly Detection monitor in the AWS Billing and Cost Management console, the company can use a machine learning service that automatically detects and alerts on anomalous spend. By configuring alert thresholds, notification preferences, and root cause analysis, the company can prevent unusual spending and identify its source. References:

AWS Cost Anomaly Detection

Creating a Cost Anomaly Monitor

Joining the FSx for Windows File Server file system to the on-premises Active Directory will allow the company to use the existing Active Directory groups to restrict access to the file shares, folders, and files after the move to AWS. This option allows the company to continue using their existing access controls and management structure, making the transition to AWS more seamless.

These answers are correct because they meet the requirements of creating a new DB instance from the most recent backup and using a MySQL-compatible edition of Amazon Aurora to host the DB instance. You can import the RDS snapshot directly into Aurora if the MySQL DB instance and the Aurora DB cluster are running the same version of MySQL. For example, you can restore a MySQL version 5.6 snapshot directly to Aurora MySQL version 5.6, but you can’t restore a MySQL version 5.6 snapshot directly to Aurora MySQL version 5.7. This method is simple and requires the fewest number of steps. You can upload the database dump to Amazon S3 and then import the database dump into Aurora if the MySQL DB instance and the Aurora DB cluster are running different versions of MySQL. For example, you can import a MySQLversion 5.6 database dump into Aurora MySQL version 5.7, but you can’t restore a MySQL version 5.6 snapshot directly to Aurora MySQL version 5.7. This method is more flexible and allows you to migrate across different versions of MySQL.

it allows the company to deploy an application that processes large quantities of data in parallel and prevent groups of nodes from sharing the same underlying hardware. By running the EC2 instances in a spread placement group, the company can launch a small number of instances across distinct underlying hardware to reduce correlated failures. A spread placement group ensures that each instance is isolated from each other at the rack level. References:

Placement Groups

Spread Placement Groups

Client-side encryption is a method of encrypting data before uploading it to Amazon S3. It allows users to manage the encryption process, encryption keys, and related tools1. By using client-side encryption, the solution can ensure that the data is encrypted at rest andin transit, as Amazon S3 will not have access to the encryption keys or the unencrypted data2.

S3 Storage Lens is a cloud storage analytics feature that provides organization-wide visibility into object storage usage and activity across multiple AWS accounts in AWS Organizations. S3 Storage Lens can report the incomplete multipart upload object count as one of the metrics that it collects and displays on an interactive dashboard in the S3 console. S3 Storage Lens can also export metrics in CSV or Parquet format to an S3 bucket for further analysis. This solution will meet the requirements with the least operational overhead, as it does not require any code development or policy changes.

This solution provides the most secure access for external support engineers with the least exposure to potential security risks.

AWS Systems Manager (SSM) and Session Manager: Systems Manager Session Manager allows secure and auditable access to EC2 instances without the need to open inbound SSH ports or manage SSH keys. This reduces the attack surface significantly. The SSM Agent must be installed and configured on all instances, and the instances must have an instance profile with the necessary IAM permissions to connect to Systems Manager.

IAM Identity Center: IAM Identity Center provides centralized management of access to the AWS Management Console for external support engineers. By using IAM Identity Center, youcan control console access securely and ensure that external engineers have the appropriate permissions based on their roles.

Why Not Other Options?:

Option B (Local IAM user credentials): This approach is less secure because it involves managing local IAM user credentials and does not leverage the centralized management and security benefits of IAM Identity Center.

Option C (Security group with SSH access): Allowing SSH access opens up the infrastructure to potential security risks, even when restricted by IP addresses. It also requires managing SSH keys, which can be cumbersome and less secure.

Option D (Bastion host): While a bastion host can secure SSH access, it still requires managing SSH keys and opening ports. This approach is less secure and more operationally intensive compared to using Session Manager.

AWS References:

AWS Systems Manager Session Manager- Documentation on using Session Manager for secure instance access.

AWS IAM Identity Center- Overview of IAM Identity Center and its capabilities for managing user access.

Using an interface endpoint will allow the BuyStock RESTful web service and the CheckFunds RESTful web service to communicate through the VPC without any changes to the code. An interface endpoint creates an elastic network interface (ENI) in the customer's VPC, and then configures the route tables to route traffic from the APIs to the ENI. This will ensure that the two APIs will communicate through the VPC without any changes to the code.

An Application Load Balancer (ALB) allows you to distribute incoming traffic across multiple backend instances, and can automatically route traffic to healthy instances while removing traffic from unhealthy instances. By using an ALB in front of the EC2 instances and routing traffic to it from Route 53, the load balancer can perform health checks on the instances and only routetraffic to healthy instances, which should help to reduce or eliminate timeout errors caused by unhealthy instances.

This answer is correct because it provides Regional failover capabilities for the online gaming application by using AWS Global Accelerator. AWS Global Accelerator is a networking service that helps you improve the availability, performance, and security of your public applications. Global Accelerator provides two global static public IPs that act as a fixed entry point to your application endpoints, such as NLBs, in different AWS Regions. Global Accelerator uses the AWS global network to route traffic to the optimal regional endpoint based on health, client location, and policies that you configure. Global Accelerator also terminates TCP and UDP traffic at the edge locations, which reduces the number of hops and improves the network performance. By adding AWS Global Accelerator in front of the NLBs, you can achieve Regional failover for your online gaming application.

This answer is correct because it meets the requirements of securely migrating the existing data to AWS and satisfying the new regulation. AWS DataSync is a service that makes it easy to move large amounts of data online between on-premises storage and Amazon S3. DataSync automatically encrypts data in transit and verifies data integrity during transfer. AWS CloudTrail is a service that records AWS API calls for your account and delivers log files to Amazon S3. CloudTrail can log data events, which show the resource operations performed on or within a resource in your AWS account, such as S3 object-level API activity. By using CloudTrail to log data events, you can audit access at all levels of the stored data.

it allows the company to store and deliver images to users in a highly available and cost-effective way. By storing images in Amazon S3 Standard, the company can use a durable, scalable, and secure object storage service that offers high availability and performance. By using S3 Standard to directly deliver images by using a static website, the company can avoid running web servers and reduce operational overhead. S3 Standard also offers low storage pricing and free data transfer within AWS Regions. References:

Amazon S3 Storage Classes

Hosting a Static Website on Amazon S3

To allow the MySQL database in the private subnets to access the internet without exposing it to the public, a NAT gateway is a suitable solution. A NAT gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. A NAT gateway resides in the public subnets and can handle high throughput of traffic with low latency. A NAT gateway is also a managed service that does not require any operational overhead.

AWS Elastic Beanstalk provides an easy and quick way to deploy, manage, and scale applications. It supports a variety of platforms, including Java and Apache Tomcat. By using Elastic Beanstalk, the solutions architect can upload the Java application and configure the environment to run Apache Tomcat.

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"s3:ListBucket",

"s3:DeleteObject"

],

"Resource": [

"arn:aws:s3:::"

],

"Effect": "Allow",

},

{

"Action": "s3:*DeleteObject",

"Resource": [

"arn:aws:s3:::/*" # <- The policy clause kludge "added" to match the solution (Q248.1) example

],

"Effect": "Allow"

}

]

}

Amazon Athena is a service that allows you to run SQL queries on data stored in Amazon S3. It is serverless, meaning you do not need to provision or manage any infrastructure. You only pay for the queries you run and the amount of data scanned1.

By using Amazon Athena to query your data in Amazon S3, you can achieve the following benefits:

You can run queries for your report without affecting the performance of your Amazon RDS for MySQL DB instance. You can export your data from your DB instance to an S3 bucket and use Athena to query the data in the bucket. This way, you can avoid the overhead and contention of running queries on your DB instance.

You can reduce the cost and complexity of running queries for your report. You do not need to create a read replica or a backup of your DB instance, which would incur additional charges and require maintenance. You also do not need to resize your DB instance to accommodate the additional workload, which would increase your operational overhead.

You can leverage the scalability and flexibility of Amazon S3 and Athena. You can store large amounts of data in S3 and query them with Athena without worrying about capacity or performance limitations. You can also use different formats, compression methods, and partitioning schemes to optimize your data storage and query performance1.

This answer is correct because it improves the application performance and decreases latency for the online game by using AWS Global Accelerator. AWS Global Accelerator is a networking service that helps you improve the availability, performance, and security of your public applications. Global Accelerator provides two global static public IPs that act as a fixed entry point to your application endpoints, such as NLBs, in different AWS Regions. Global Accelerator uses the AWS global network to route traffic to the optimal regional endpoint based on health, client location, and policies that you configure. Global Accelerator also terminates TCP and UDP traffic at the edge locations, which reduces the number of hops and improves the network performance. By adding AWS Global Accelerator in front of the NLBs, you can achieve up to 60% improvement in latency for your online game.

Amazon API Gateway with CloudFront: API Gateway allows you to create, deploy, and manage APIs, while CloudFront provides a CDN to deliver content with low latency and high transfer speeds.

AWS WAF (Web Application Firewall):

AWS WAF can be configured in CloudFront to protect against common web exploits, including SQL injection and cross-site scripting (XSS).

WAF allows you to create custom rules to block specific attack patterns and can be managed centrally.

Configuration:

Deploy your APIs using Amazon API Gateway.

Set up an Amazon CloudFront distribution in front of the API Gateway.

Configure AWS WAF on the CloudFront distribution to apply security rules.

Operational Efficiency: This solution provides robust protection with minimal operational overhead by leveraging managed AWS services, ensuring that your APIs are secure without extensive custom implementation.

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This allows you to use your data to gain new insights for your business and customers. The first step to create a data warehouse is to launch a set of nodes, called an Amazon Redshift cluster. After you provision your cluster, you can upload your data set and then perform data analysis queries. Regardless of the size of the data set, Amazon Redshift offers fast query performance using the same SQL-based tools and business intelligence applications that you use today.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html * Enable AWS multi-factor authentication (MFA) on your AWS account root user. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide. * Never share your AWS account root user password or access keys with anyone. * Use a strong password to help protect access to the AWS Management Console. For information about managing your AWS account root user password, see Changing the password for the root user.

This answer is correct because it meets the requirements of accommodating the larger workload without adding infrastructure and minimizing the cost. Reserved DB instances are a billing discount applied to the use of certain on-demand DB instances in your account. Reserved DB instances provide you with a significant discount compared to on-demand DB instance pricing. You can buy reserved DB instances for the total workload and choose between three payment options: No Upfront, Partial Upfront, or All Upfront. You can make the Amazon RDS for PostgreSQL DB instance larger by modifying its instance type to a higher performance class. This way, you can increase the CPU, memory, and network capacity of your DB instance and handle the increased workload.

Amazon S3 is a service that provides object storage in the cloud. It can be used to store andserve static web content, such as HTML, CSS, JavaScript, images, and videos1. By creating a new Amazon S3 bucket and configuring it for static website hosting, the solution can share information with the public.

Amazon S3 Versioning is a feature that keeps multiple versions of an object in the same bucket. It helps protect objects from accidental deletion or overwriting by preserving, retrieving, and restoring every version of every object stored in an S3 bucket2. By enabling S3 Versioning on the new bucket, the solution can prevent modifications or deletions of the files by anyone.

Amazon S3 Object Lock is a feature that allows users to store objects using a write-once-read-many (WORM) model. It can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. It requires S3 Versioning to be enabled on the bucket3. By using S3 Object Lock with a retention period in accordance with the designated date, the solution can prohibit modifications or deletions of the files by anyone before that date.

Amazon S3 bucket policies are JSON documents that define access permissions for a bucket and its objects. They can be used to grant or deny access to specific users or groups based on conditions such as IP address, time of day, or source bucket. By setting an S3 bucket policy to allow read-only access to the objects, the solution can ensure that the files are publicly readable.

A. Upload all files to an Amazon S3 bucket that is configured for static website hosting. Grant read-only IAM permissions to any AWS principals that access the S3 bucket until the designated date. This solution will not meet the requirement of prohibiting modifications or deletions of the files by anyone before a designated future date, as IAM permissions only apply to AWS principals, not to public users. It also does not use any feature to prevent accidental or intentional deletion or overwriting of the files.

C. Create a new Amazon S3 bucket with S3 Versioning enabled Configure an event trigger to run an AWS Lambda function in case of object modification or deletion. Configure the Lambda func-tion to replace the objects with the original versions from a private S3 bucket. This solution will not meet the requirement of prohibiting modifications or deletions of the files by anyone before a designated future date, as it only reacts to object modification or deletion events after they occur. It also involves creating and managing an additional resource (Lambda function) and a private S3 bucket.

D. Upload all files to an Amazon S3 bucket that is configured for static website hosting. Select the folder that contains the files. Use S3 Object Lock with a retention period in accordance with the designated date. Grant read-only IAM permissions to any AWS principals that access the S3 bucket. This solution will not meet the requirement of prohibiting modifications or deletions of the files by anyone before a designated future date, as it does not enable S3 Versioning on thebucket, which is required for using S3 Object Lock. It also does not allow read-only access to public users.

Reference URL: https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html

It uses Amazon Kinesis Data Firehose which is a fully managed service for delivering real-time streaming data to destinations such as Amazon S3. This service requires lessoperational overhead as compared to option A, B, and D. Additionally, it also uses Amazon API Gateway which is a fully managed service for creating, deploying, and managing APIs. These services help in reducing the operational overhead and automating the data ingestion process.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html#:~:text=The%20CloudTrail%20trail,time%20has%20passed.

Option A:The ALB must accept HTTPS traffic from the public internet. Allowing inbound traffic on port 443 from 0.0.0.0/0 enables this functionality.

Option C:The ALB must forward HTTPS traffic to the web application servers on port 443. Outbound traffic for port 443 must be allowed for this communication.

Option E:The ALB must perform health checks on the web application servers over HTTPS on port 8443. Outbound traffic for port 8443 must be allowed for this purpose.

Option B:Allowing all outbound traffic is overly permissive and does not align with the specific requirements.

Option D and F:Inbound traffic to the ALB from the web application instances is unnecessary because the flow of traffic is from the ALB to the web application instances, not vice versa.

AWS Documentation References:

Application Load Balancer Security Groups

Health Checks for ALBs

This answer is correct because it meets the requirements of sharing the database with the auditor in a secure way. You can create an encrypted snapshot of the database by using AWS Key Management Service (AWS KMS) to encrypt the snapshot with a customer managed key. You can share the snapshot with the auditor by modifying the permissions of the snapshot and specifying the AWS account ID of the auditor. You can also allow access to the AWS KMS encryption key by adding a key policy statement that grants permissions to the auditor’s account. This way, you can ensure that only the auditor can access and restore the snapshot in their own AWS account.

Spot Instances are EC2 instances that are available at up to a 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can tolerate interruptions. Spot Instances can be reclaimed by EC2 when the demand for On-Demand capacity increases, but they provide a two-minute warning before termination. EKS managed node groups automate the provisioning and lifecycle management of nodes for EKS clusters. Managed node groups can use Spot Instances to reduce costs and scale the cluster based on demand. Managed node groups also support features such as Capacity Rebalancing and Capacity Optimized allocation strategy to improve the availability and resilience of Spot Instances. This solution will meet the requirements most cost-effectively, as it leverages the lowest-priced EC2 capacity and does not require any manual intervention.

Amazon RDS Proxy is a service that provides a fully managed, highly available database proxy for Amazon RDS and Aurora databases. It allows you to pool and share database connections, reduce database load, and improve application scalability and availability.

By using Amazon RDS Proxy in front of your Aurora database, you can achieve the following benefits:

You can reduce the number of connections to your database and avoid errors that indicate that there are too many connections. Amazon RDS Proxy handles the connection management and multiplexing for you, so you can use fewer database connections and resources.

You can reduce the failover time by 20% when a read replica is promoted to primary writer. Amazon RDS Proxy automatically detects failures and routes traffic to the new primary instancewithout requiring changes to your application code or configuration. According to a benchmark test, using Amazon RDS Proxy reduced the failover time from 66 seconds to 53 seconds, which is a 20% improvement.

You can improve the security and compliance of your database access. Amazon RDS Proxy integrates with AWS Secrets Manager and AWS Identity and Access Management (IAM) to enable secure and granular authentication and authorization for your database connections.

An Auto Scaling group is a collection of EC2 instances that share similar characteristics and can be scaled in or out automatically based on demand. An Auto Scaling group can be placed behind an Application Load Balancer, which is a type of Elastic Load Balancing load balancer that distributes incoming traffic across multiple targets in multiple Availability Zones. This solution will improve the resiliency of the web tier by providing high availability, scalability, and fault tolerance. An Amazon RDS Multi-AZ deployment is a configuration that automatically creates a primary database instance and synchronously replicates the data to a standby instance in a different Availability Zone. When a failure occurs, Amazon RDS automatically fails over to the standby instance without manual intervention. This solution will improve the resiliency of the database tier by providing data redundancy, backup support, and availability. This combination of steps will meet the requirements with minimal changes to the application during the migration.

The Kubernetes Cluster Autoscaler is a component that automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. It uses Auto Scaling groups to scale up or down the nodes according to the demand and capacity ofyour cluster1.

By using the Kubernetes Cluster Autoscaler in your Amazon EKS cluster, you can achieve the following benefits:

You can improve the performance and availability of your container applications by ensuring that there are enough nodes to run your pods and that there are no idle nodes wasting resources.

You can reduce the administrative overhead of managing your cluster size manually or using custom scripts. The Cluster Autoscaler handles the scaling decisions and actions for you based on the metrics and events from your cluster.

You can leverage the integration of Amazon EKS and AWS Auto Scaling to optimize the cost and efficiency of your cluster. You can use features such as launchtemplates, mixed instances policies, and spot instances to customize your node configuration and save up to 90% on compute costs2

The visibility timeout begins when Amazon SQS returns a message. During this time, the consumer processes and deletes the message. However, if the consumer fails before deleting the message and your system doesn't call the DeleteMessage action for that message before the visibility timeout expires, the message becomes visible to other consumers and the message is received again. If a message must be received only once, your consumer should delete it within the duration of the visibility timeout.https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html

Keyword: SQS queue writes to an Amazon RDS From this, Option D best suite & other Options ruled out [Option A - You can't intruduce one more Queue in the existing one; Option B - only Permission & Option C - Only Retrieves Messages] FIF O queues aredesigned to never introduce duplicate messages. However, your message producer might introduce duplicates in certain scenarios: for example, if the producer sends a message, does not receive a response, and then resends the same message. Amazon SQS APIs provide deduplication functionality that prevents your message producer from sending duplicates. Any duplicates introduced by the message producer are removed within a 5-minute deduplication interval. For standard queues, you might occasionally receive a duplicate copy of a message (at-least- once delivery). If you use a standard queue, you must design your applications to be idempotent (that is, they must not be affected adversely when processing the same message more than once).

https://aws.amazon.com/es/blogs/big-data/real-time-analytics-with-amazon-redshift-streaming-ingestion/

Amazon Macie can also send its findings to Amazon EventBridge, which is a serverless event bus that makes it easy to connect applications using data from a variety of sources. You can create an EventBridge rule that filters the SensitiveData event type from Macie findings and sends an Amazon SNS notification to the security team. Amazon SNS is a fully managed messaging service that enables you to send messages to subscribers or other applications.References:https://docs.aws.amazon.com/macie/latest/userguide/macie-findings.html#macie-findings-eventbridge

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html

By using Amazon S3 and AWS Lambda together, you can create a serverless architecture that provides highly scalable and available image resizing capabilities. Here's how the solution would work: Set up an Amazon S3 bucket to store the original images uploaded by users. Configure an event trigger on the S3 bucket to invoke an AWS Lambda function whenever a new image is uploaded. The Lambda function can be designed to retrieve the uploaded image, perform the necessary resizing operations based on device requirements, and store the resized images back in the S3 bucket or a different bucket designated for resized images. Configure the Amazon S3 bucket to make the resized images publicly accessible for serving to users.

https://aws.amazon.com/about-aws/whats-new/2018/03/introducing-amazon-vpc-nat-gateway-in-the-aws-govcloud-us-region/#:~:text=NAT%20Gateway%20is%20a%20highly,instances%20in%20a%20private%20subnet.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

An edge-optimized API Gateway is a way to create RESTful APIs that can access multiple DynamoDB tables through AWS Lambda functions. The edge-optimized API Gateway provides low latency and high performance by caching API responses at CloudFront edgelocations. The AWS Lambda functions can use the AWS SDK to query or scan the DynamoDB tables and return the data to the API Gateway. This solution meets all the requirements of the question, while the other options do not. References:

https://aws.amazon.com/blogs/compute/understanding-database-options-for-your-serverless-web-applications/

https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-3/

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best-practices.html

The solution that will meet the requirement of ensuring that all data that is written to the EBS volumes is encrypted at rest is B. Create the EBS volumes as encrypted volumes and attach the encrypted EBS volumes to the EC2 instances. When you create an EBS volume, you can specify whether to encrypt the volume. If you choose to encrypt the volume, all data written to the volume is automatically encrypted at rest using AWS-managed keys. You can also use customer-managed keys (CMKs) stored in AWS KMS to encrypt and protect your EBS volumes. You can create encrypted EBS volumes and attach them to EC2 instances to ensure that all data written to the volumes is encrypted at rest.

To predict the resources needed for manufacturing processes each month using historical values that are currently stored in an Amazon S3 bucket, a solutions architect should use Amazon SageMaker to train a model by using the historical data in the S3 bucket, and deploy an Amazon SageMaker model and create a SageMaker endpoint for inference. Amazon SageMaker is a fully managed service that provides an easy way to build, train, and deploy machine learning (ML) models. The solutions architect can use the built-in algorithms or frameworks provided by SageMaker, or bring their own custom code, to train a model using the historical data in the S3 bucket as input. The trained model can then be deployed to a SageMaker endpoint, which is ascalable and secure web service that can handle requests for predictions from the application. The solutions architect does not need to have any ML experience or manage any infrastructure to use SageMaker.

https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment

To design the API Gateway URL with the company's domain name and corresponding certificate, the company needs to do the following: 1. Create a Regional API Gateway endpoint: This will allow the company to create an endpoint that is specific to a region. 2. Associate the API Gateway endpoint with the company's domain name: This will allow the company to use its own domain name for the API Gateway URL. 3. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region: This will allow the company to use HTTPS for secure communication withits APIs. 4. Attach the certificate to the API Gateway endpoint: This will allow the company to use the certificate for securing the API Gateway URL. 5. Configure Route 53 to route traffic to the API Gateway endpoint: This will allow the company to use Route 53 to route traffic to the API Gateway URL using the company's domain name.

https://aws.amazon.com/sqs/features/

By routing incoming requests to Amazon SQS, the company can decouple the job requests from the processing instances. This allows them to scale the number of instances based on the size of the queue, providing more resources when needed. Additionally, using an Auto Scaling group based on the queue size will automatically scale the number of instances up or down depending on the workload. Updating the software to read from the queue will allow it to process the job requests in a more efficient manner, improving the performance of the system.

"Create an Amazon SQS queue to hold the jobs that needs to be processed. Create an Amazon EC2 Auto Scaling group for the compute application. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of items in the SQS queue"

In this case we need to find a durable and loosely coupled solution for storing jobs. Amazon SQS is ideal for this use case and can be configured to use dynamic scalingbased on the number of jobs waiting in the queue.To configure this scaling you can use the backlog per instance metric with the target value being the acceptable backlog per instance to maintain. You can calculate these numbers as follows: Backlog per instance: To calculate your backlog per instance, start with the ApproximateNumberOfMessages queue attribute to determine the length of the SQS queue

as the policy prevents anyone from doing any EC2 action on any region except us-east-1 and allows only users with source ip 10.100.100.0/24 to terminate instances. So user with source ip 10.100.100.254 can terminate instances in us-east-1 region.

Moving the catalog to an Amazon Elastic File System (Amazon EFS) file system provides both high availability and durability. Amazon EFS is a fully-managed, highly-available, and durable file system that is built to scale on demand. With Amazon EFS, the catalog data can be storedand accessed from multiple EC2 instances in different availability zones, ensuring high availability. Also, Amazon EFS automatically stores files redundantly within and across multiple availability zones, making it a durable storage option.

https://docs.aws.amazon.com/systems-manager/latest/userguide/about-windows-app-patching.html

You might want to use Transfer Acceleration on a bucket for various reasons, including the following:

You have customers that upload to a centralized bucket from all over the world.

You transfer gigabytes to terabytes of data on a regular basis across continents.

You are unable to utilize all of your available bandwidth over the Internet when uploading to Amazon S3.

https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

https://aws.amazon.com/s3/transfer-acceleration/#:~:text=S3%20Transfer%20Acceleration%20(S3TA)%20reduces,to%20S3%20for%20remote%20applications:

"Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects. Customers who have either web or mobile applications with widespread users or applications hosted far away from their S3 bucket can experience long and variable upload and download speeds over the Internet"

https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html

"Improved throughput - You can upload parts in parallel to improve throughput."

https://www.learnaws.org/2020/12/13/aws-rds-proxy-deep-dive/

RDS proxy can improve application availability in such a situation by waiting for the new database instance to be functional and maintaining any requests received from the application during this time. The end result is that the application is more resilient to issues with the underlying database.

This will enable solution to hold data till the time DB comes back to normal. RDS proxy is to optimally utilize the connection between Lambda and DB. Lambda can open multipleconnection concurrently which can be taxing on DB compute resources, hence RDS proxy was introduced to manage and leverage these connections efficiently.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also savesthe KMS key's older cryptographic material in perpetuity so it can be used to decrypt data that the KMS key encrypted.

Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use. AWS KMS supports optional automatic key rotation only for customer managed CMKs. Enable and disable key rotation. Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

These are some of the main use cases for AWS DataSync: • Data migration – Move active datasets rapidly over the network into Amazon S3, Amazon EFS, or FSx for Windows File Server. DataSync includes automatic encryption and data integrity validation to help make sure that your data arrives securely, intact, and ready to use.

"DataSync includes encryption and integrity validation to help make sure your data arrives securely, intact, and ready to use."https://aws.amazon.com/datasync/faqs/

https://aws.amazon.com/blogs/aws/amazon-aurora-fast-database-cloning/

Share the existing KMS key with the MSP external account because it has already been used to encrypt the AMI snapshot.https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

Option Ais the best solution as it leveragesAWS Lambdafor serverless, scalable, and highly available processing and enrichment of clickstream data. Lambda can process the data in real-time, join it with the Aurora database data, and write the enriched results to Amazon S3. FromS3,Amazon Redshift Spectrumcan directly query the enriched data without needing to load the data into Redshift, enabling cost efficiency and high availability.

Why Other Options Are Incorrect:

Option B:EC2 Spot Instances are not guaranteed to be highly available, as Spot Instances can be interrupted at any time. This does not align with the requirement for high availability.

Option C:While ECS with AWS Fargate provides scalability, using EC2 for the COPY command introduces operational overhead and compromises high availability.

Option D:Kinesis Data Firehose and Athena are suitable for querying raw data, but they do not directly support enriching the data by joining with Aurora. This solution fails to meet the requirement for data enrichment.

Key AWS Features Used:

AWS Lambda:Real-time serverless processing with integration capabilities for Aurora and S3.

Amazon S3:Cost-effective storage for enriched data.

Amazon Redshift Spectrum:Direct querying of data stored in S3 without loading it into Redshift.

AWS Documentation References:

AWS Lambda Function Overview

Amazon Redshift Spectrum

Processing Streaming Data with Kinesis Data Streams

Creating an Amazon Simple Queue Service (SQS) queue and configuring the S3 bucket to send a notification to the SQS queue when an image is uploaded to the S3 bucket will ensure that the Lambda function is triggered in a stateless and durable manner.

Configuring the Lambda function to use the SQS queue as the invocation source, and deleting the message in the queue after it is successfully processed will ensure that the Lambda function processes the image in a stateless and durable manner.

Amazon SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating-message oriented middleware, and empowers developers to focus on differentiating work. When new images are uploaded to the S3 bucket, SQS will trigger the Lambda function to process the image and compress it. Once the image is processed, the SQS message is deleted, ensuring that the Lambda function is stateless and durable.

it allows the company to encrypt the Kubernetes secrets object in the EKS cluster with the least operational overhead. By enabling secrets encryption in the EKS cluster, the company can use AWS Key Management Service (AWS KMS) to generate and manage encryption keys for encrypting and decrypting secrets at rest. This is a simple and secure way to protect sensitive information in EKS clusters. References:

Encrypting Kubernetes secrets with AWS KMS

Kubernetes Secrets

"Typically, you configure buckets to be Requester Pays buckets when you want to share data but not incur charges associated with others accessing the data. For example, you might use Requester Pays buckets when making available large datasets, such as zip code directories, reference data, geospatial information, or web crawling data."https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html

To protect data in an S3 bucket from accidental deletion, versioning should be enabled, which enables you to preserve, retrieve, and restore every version of every object in an S3 bucket. Additionally, enabling MFA (multi-factor authentication) Delete on the S3 bucket adds an extra layer of protection by requiring an authentication token in addition to the user's access keys to delete objects in the bucket.

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-launch-managed-instance.html

To ensure that Amazon S3 buckets do not have unauthorized configuration changes, a solutions architect should turn on AWS Config with the appropriate rules. AWS Config is a service that allows users to audit and assess their AWS resource configurations for compliance with industry standards and internal policies. It provides a detailed view of the resources and their configurations, including information on how the resources are related to each other. By turning on AWS Config with the appropriate rules, users can identify and remediate unauthorized configuration changes to their Amazon S3 buckets.

"For archive data that needs immediate access, such as medical images, news media assets, or genomics data, choose the S3 Glacier Instant Retrieval storage class, an archive storage class that delivers the lowest cost storage with milliseconds retrieval. For archive data that does not require immediate access but needs the flexibility to retrieve large sets of data at no cost, such as backup or disaster recovery use cases, choose S3 Glacier Flexible Retrieval (formerly S3 Glacier), with retrieval in minutes or free bulk retrievals in 5-12 hours."https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-glacier-instant-retrieval-storage-class/

https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

How can I redirect HTTP requests to HTTPS using an Application Load Balancer? Last updated: 2020-10-30 I want to redirect HTTP requests to HTTPS using Application Load Balancer listener rules. How can I do this? Resolution Reference:https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

In this scenario, the company wants to avoid regional data transfer charges while downloading and uploading images from Amazon S3. To accomplish this at the lowest cost, the NAT gateway should be launched in each availability zone that the EC2 instances are running in. This allows the EC2 instances to route traffic through the local NAT gateway instead of sending traffic across an availability zone boundary and incurring regional data transfer fees. This method will help reduce the data transfer costs since inter-Availability Zone data transfers in a single region are free of charge.

Amazon S3 File Gateway is a hybrid cloud storage service that enables on-premises applications to seamlessly use Amazon S3 cloud storage. It provides a file interface to Amazon S3 and supports SMB and NFS protocols. It also supports S3 Lifecycle policies that can automaticallytransition data from S3 Standard to S3 Glacier Deep Archive after a specified period of time. This solution will meet the requirements of increasing the company’s available storage space without losing low-latency access to the most recently accessed files and providing file lifecycle management to avoid future storage issues.

using AWS ECS on AWS Fargate since they requirements are for scalability and availability without having to provision and manage the underlying infrastructure to run the containerized workload.https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html

https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-4/

Build a Serverless Web Application with AWS Lambda, Amazon API Gateway, AWS Amplify, Amazon DynamoDB, and Amazon Cognito. This example showed similar setup as question: Build a Serverless Web Application with AWS Lambda, Amazon API Gateway, AWS Amplify, Amazon DynamoDB, and Amazon Cognito

https://aws.amazon.com/shield/faqs/

Amazon S3 sends event notifications about S3 buckets (for example, object created, object removed, or object restored) to an SNS topic in the same Region.

The SNS topic publishes the event to an SQS queue in the central Region.

The SQS queue is configured as the event source for your Lambda function and buffers the event messages for the Lambda function.

The Lambda function polls the SQS queue for messages and processes the Amazon S3 event notifications according to your application’s requirements.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/subscribe-a-lambda-function-to-event-notifications-from-s3-buckets-in-different-aws-regions.html

Why Option C is Correct:

S3 Access Points: Provide scalable management of access to large datasets with specific permissions for individual prefixes.

Dynamic Prefixes: Access points simplify managing access to a growing number of prefixes without relying solely on a single bucket policy.

Fine-Grained Control: Resource-based permissions on access points enforce prefix-level isolation effectively.

Why Other Options Are Not Ideal:

Option A: Using deny/allow bucket policies introduces complexity and is less scalable for dynamic prefixes.

Option B: Encryption ensures data security but does not address access management.

Option D: Pre-signed URLs are temporary and not suitable for managing access at scale.

AWS References:

Amazon S3 Access Points:AWS Documentation - S3 Access Points

Using a Lambda function as part of the Kinesis Data Firehose pipeline allows for real-time detection and masking of PII before data is written to S3. This ensures that PII is never stored in its raw form in the data lake.

Option B:Amazon Macie can scan and classify data but does not provide in-line PII masking for data ingestion.

Option C:Server-side encryption secures data but does not mask PII.

Option D:CloudHSM is unnecessary for PII masking and adds complexity without addressing the requirements.

AWS Documentation References:

Using Lambda with Kinesis Data Firehose

AWS Global Accelerator reduces latency by directing users to the optimal Regional endpoint based on global network health and proximity. Amazon CloudFront caches static and dynamic content at edge locations for ultra-low latency access worldwide, improving performance and reducing server load.

For bidirectional communication such as chat applications, Amazon API Gateway WebSocket API is the correct service. WebSocket APIs allow clients to establish long-lived connections and exchange messages with the backend Lambda functions in real time.

HTTP APIs and REST APIs are suitable for request-response models, not continuous two-way communication. CloudFront cannot maintain stateful WebSocket connections, so only Option C fits the requirements for a real-time, bidirectional application.

A. EC2 with EBS:Does not support SQL Server Always On availability groups effectively.

B. RDS Multi-AZ:Provides high availability but does not support SQL Server Always On availability groups.

C. EC2 with FSx for Windows:Best solution for SQL Server Always On as FSx provides shared storage compatible with SQL Server clustering.

D. EC2 with S3:S3 is not suitable for SQL Server storage.

To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.

Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.

VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.

EC2 Auto Scaling warm pools allow you to pre-initialize instances, reducing the delay in scale-out events. This results in significantly faster response times during demand surges while remaining cost-effective compared to always running at peak capacity.

The issue described in the question, where incoming traffic seems to favor one EC2 instance, is often caused by session affinity (also known as sticky sessions) being enabled on the Application Load Balancer (ALB). When session affinity is enabled, the ALB routes requests from the same client to the same EC2 instance. This can cause an imbalance in traffic distribution, leading to performance bottlenecks on certain instances while others remain underutilized.

To resolve this issue, disabling session affinity ensures that the ALB distributes incoming traffic evenly across all EC2 instances, allowing better load distribution and reducing latency. The ALB will rely on its round-robin or least outstanding requests algorithm (depending on the configuration) to distribute traffic more evenly across instances.

Option B (Network Load Balancer): The NLB is designed for Layer 4 (TCP) traffic and low latency use cases, but it is not needed here as the problem is with load balancing logic at the application layer (Layer 7). The ALB is more appropriate for HTTP/HTTPS traffic.

Option C (Increase EC2 Instances): Adding more EC2 instances does not solve the root issue of uneven traffic distribution.

Option D (Health Check Frequency): Adjusting health check frequency won't address the imbalance caused by session affinity.

AWS References:

Application Load Balancer Sticky Sessions

Option C provides moving the website images onto an Amazon EFS file system that is mounted on every EC2 instance. Amazon EFS provides a scalable and fully managed file storage solution that can be accessed concurrently from multiple EC2 instances. This ensures that the website images can be accessed efficiently and consistently by all instances, improving performance In Option E The Auto Scaling group maintains a minimum of two instances, ensuring resilience by automatically replacing any unhealthy instances. Additionally, configuring an Amazon CloudFront distribution for the website further improves performance by caching content at edge locations closer to the end-users, reducing latency and improving content delivery. Hence combining these actions, the website's performance is improved through efficient image storage and content delivery

https://aws.amazon.com/rds/aurora/serverless/

Application availability: NLB cannot assure the availability of the application. This is because it bases its decisions solely on network and TCP-layer variables and has no awareness of the application at all. Generally, NLB determines availability based on the ability of a server to respond to ICMP ping or to correctly complete the three-way TCP handshake. ALB goes much deeper and is capable of determining availability based on not only a successful HTTP GET of a particular page but also the verification that the content is as was expected based on the input parameters.

(https://aws.amazon.com/cloudfront

https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#lambda-permissions

To launch a one-deal-a-day website on AWS with millisecond latency during peak hours and with the least operational overhead, the best option is to use an Amazon S3 bucket to host the website's static content, deploy an Amazon CloudFront distribution, set the S3 bucket as the origin, use Amazon API Gateway and AWS Lambda functions for the backend APIs, and store the data in Amazon DynamoDB. This option requires minimal operational overhead and can handle millions of requests each hour with millisecond latency during peak hours. Therefore, option D is the correct answer.

To ensure that orders are processed in the order that they are received, the best solution is to use an Amazon SQS FIFO (First-In-First-Out) queue. This type of queue maintains the exact order in which messages are sent and received. In this case, the application can send information about new orders to an Amazon API Gateway REST API, which can then use an API Gateway integration to send a message to an Amazon SQS FIFO queue for processing. The queue can then be configured to invoke an AWS Lambda function to perform the necessary processing on each order. This ensures that orders are processed in the exact order in which they are received.

https://digitalcloud.training/ssh-into-ec2-in-private-subnet/

"You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC."https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

AmazonKinesis Data Streamsis the best choice for this scenario:

Message throughput: Kinesis Data Streams supports high throughput with enhanced fan-out and dedicated throughput for consumers.

Large message size: Supports message sizes up to 1 MB, meeting the 500 KB requirement.

Message retention: Data streams can retain messages for up to 365 days.

Strict ordering: Guarantees message ordering within shards.

Why Other Options Are Not Ideal:

Option B:

While SQS FIFO supports strict ordering, SNS topics do not. SNS also does not natively support message retention or strict ordering across consumers.Does not meet requirements.

Option C:

EventBridge does not provide strict ordering guarantees or message retention beyond 24 hours.Does not meet requirements.

Option D:

SNS topics with Data Firehose are not designed for use cases requiring strict ordering or long message retention.Does not meet requirements.

AWS References:

Amazon Kinesis Data Streams:AWS Documentation - Kinesis Data Streams

AWS Messaging Services Comparison:AWS Documentation - Messaging Services

AWS Glue provides a serverless ETL solution requiring minimal development. Glue supports conversion to Parquet with managed jobs and integrates with S3 for output.

AWS Documentation References:

AWS Glue Overview

Option A: Importing customer-managed keys into AWS KMS ensures that encryption key material remains under the company’s control.

Option D: S3 Glacier with server-side encryption using customer-provided keys (SSE-C) complies with the need for controlled encryption and provides cost-effective storage for backups.

AWS Key Management Service Importing Keys Documentation,S3 Encryption Documentation

Analysis:

The company's requirements are to migrate 5 PB of data from physical tapes to AWS within 6 months, preserve the data for 10 years, and ensure cost efficiency.AWS Storage Gateway Tape Gatewayis purpose-built for such use cases, as it seamlessly integrates with backup applications and provides virtual tape storage in Amazon S3 Glacier Deep Archive.

Why Option D is Correct:

Tape Gateway: Enables the migration of physical tapes to virtual tapes. Virtual tapes are stored in Amazon S3 and can later be archived in Amazon S3 Glacier Deep Archive for long-term storage.

Cost Efficiency: Amazon S3 Glacier Deep Archive is the lowest-cost storage class for long-term data preservation.

Operational Simplicity: Tape Gateway integrates with existing on-premises backup software, reducing the need for additional tools or manual processes.

Scalability: Can handle the migration of large datasets, such as 5 PB, within the required timeframe.

Why Other Options Are Not Ideal:

Option A:

AWS DataSync is not designed for reading data directly from physical tapes. Staging the data on local storage adds unnecessary complexity and cost.Not suitable.

Option B:

Using backup applications to write directly to S3 Glacier Deep Archive may not leverage AWS-native services optimally. Tape Gateway simplifies the workflow significantly.Less efficient.

Option C:

Snowball Edge is ideal for environments without high-bandwidth connectivity. However, the company already has a 10 Gbps Direct Connect, making Tape Gateway a better choice.Not cost-effective.

AWS References:

AWS Storage Gateway - Tape Gateway:AWS Documentation - Tape Gateway

Amazon S3 Glacier Deep Archive:AWS Documentation - Glacier Deep Archive

This is a classic use case for Amazon Kinesis Data Streams + OpenSearch + QuickSight:

Kinesis Data Streams: For real-time ingestion and processing

OpenSearch Service: For fast full-text search, indexing, and analysis

QuickSight: For rich dashboard visualizations

This stack is fully managed, scalable, and native to AWS, minimizing operational overhead.

These options are the best solutions because they allow the company to run the application with Docker containers in the AWS Cloud using a managed service that scales automatically and does not require any infrastructure to manage. By using AWS Fargate, the company can launch and run containers without having to provision, configure, or scale clusters of EC2 instances. Fargate allocates the right amount of compute resources for each container and scales them up or down as needed. By using Amazon ECS or Amazon EKS, the company can choose the container orchestration platform that suits its needs. Amazon ECS is a fully managed service that integrates with other AWS services and simplifies the deployment and management of containers. Amazon EKS is a managed service that runs Kubernetes on AWS and provides compatibility with existing Kubernetes tools and plugins.

C. Provision an Amazon API Gateway API Connect the API to AWS Lambda to run the containers. This option is not feasible because AWS Lambda does not support running Docker containers directly. Lambda functions are executed in a sandboxed environment that is isolated from other functions and resources. To run Docker containers on Lambda, the company would need to use a custom runtime or a wrapper library that emulates the Docker API, which can introduce additional complexity and overhead.

D. Use Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 worker nodes. This option is not optimal because it requires the company to manage the EC2 instances that host the containers. The company would need to provision, configure, scale, patch, and monitor the EC2 instances, which can increase the operational overhead and infrastructure costs.

E. Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 worker nodes. This option is not ideal because it requires the company to manage the EC2 instances that host the containers. The company would need to provision, configure, scale, patch, and monitor the EC2 instances, which can increase the operational overhead and infrastructure costs.

The most cost-effective DynamoDB table configuration for the web application is to configure DynamoDB in on-demand mode by using the DynamoDB Standard table class. This configuration will allow the company to scale in response to application traffic and pay only for the read and write requests that the application performs on the table.

On-demand mode is a flexible billing option that can handle thousands of requests per second without capacity planning. On-demand mode automatically adjusts the table’s capacity based on the incoming traffic, and charges only for the read and write requests that are actually performed.On-demand mode is suitable for applications withunpredictable or variable workloads, or applications that prefer the ease of paying for only what they use1.

The DynamoDB Standard table class is the default and recommended table class for most workloads. The DynamoDB Standard table class offers lower throughput costs than the DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA) table class, and is more cost-effective for tables where throughput is the dominant cost.The DynamoDB Standard table class also offers the same performance, durability, and availability as the DynamoDB Standard-IA table class2.

The other options are not correct because they are either not cost-effective or not suitable for the use case. Configuring DynamoDB with provisioned read and write by using the DynamoDB Standard table class, and setting DynamoDB auto scaling to a maximum defined capacity is not correct because this configuration requires manual estimation and management of the table’s capacity, which adds complexity and cost to the solution. Provisioned mode is a billing option that requires users to specify the amount of read and write capacity units for their tables, and charges for the reserved capacity regardless of usage.Provisioned mode is suitable for applications with predictable or stable workloads, or applications that require finer-grained control over their capacity settings1. Configuring DynamoDB with provisioned read and write by using the DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA) table class, and setting DynamoDB auto scaling to a maximum defined capacity is not correct because thisconfiguration is not cost-effective for tables with moderate to high throughput. The DynamoDB Standard-IA table class offers lower storage costs than the DynamoDB Standard table class, but higher throughput costs.The DynamoDB Standard-IA table class is optimized for tables where storage is the dominant cost, such as tables that store infrequently accessed data2. Configuring DynamoDB in on-demand mode by using the DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA) table class is not correct because this configuration is notcost-effective for tables with moderate to high throughput. As mentioned above, the DynamoDB Standard-IA table class has higher throughput costs than the DynamoDB Standard table class, which can offset the savings from lower storage costs.

This solution meets the following requirements:

It is private and secure, as it allows the EC2 instances to access the S3 bucket without using the public internet. A VPC endpoint is a gateway that enables you to create a private connection between your VPC and another AWS service, such as S3, within the same Region. A VPC endpoint for S3 provides secure and direct access to S3 buckets and objects using private IP addresses from your VPC. You can also use VPC endpoint policies and S3 bucket policies to control the access to the S3 resources based on the endpoint, the IAM user, the IAM role, or the source IP address.

It is simple and scalable, as it does not require any additional AWS services, gateways, or NAT devices. A VPC endpoint for S3 is a fully managed service that scales automatically with the network traffic. You can create a VPC endpoint for S3 with a few clicks in the VPC console or with a simple API call. You can also use the same VPC endpoint to access multiple S3 buckets in the same Region.

The most suitable solution for the company’s requirements is to configure AWS Glue DataBrew to transform the data and share the transformation steps with employees by using DataBrew recipes. This solution will provide a prebuilt solution for data transformation that does not require code, and will also provide data lineage and data profiling. The company can easily share the data transformation steps with employees throughout the company by using DataBrew recipes.

AWS Glue DataBrew is a visual data preparation tool that makes it easy for data analysts and data scientists to clean and normalize data for analytics or machine learning by up to 80% faster. Users can upload their data from various sources, such as Amazon S3, Amazon RDS, Amazon Redshift, Amazon Aurora, or Glue Data Catalog, and use a point-and-click interface to apply over 250 built-in transformations. Users can also preview the results of each transformation step and see how it affects the quality and distribution of the data1.

A DataBrew recipe is a reusable set of transformation steps that can be applied to one or more datasets. Users can create recipes from scratch or use existing ones from the DataBrew recipe library. Users can also export, import, or share recipes with other users or groups within their AWS account or organization2.

DataBrew also provides data lineage and data profiling features that help users understand and improve their data quality. Data lineage shows the source and destination of each dataset and how it is transformed by each recipe step. Data profiling shows various statistics and metrics about each dataset, such as column

Deletion protection is a feature of DynamoDB that prevents accidental deletion of tables. When deletion protection is enabled, you cannot delete a table unless you explicitly disable it first. This adds an extra layer of security and reduces the risk of data loss and operational disruption. Deletion protection is easy to enable and disable using the AWS Management Console, the AWSCLI, or the DynamoDB API. This solution has the least operational overhead, as you do not need to create, manage, or invoke any additional resources or services. References:

Using deletion protection to protect your table

Preventing Accidental Table Deletion in DynamoDB

Amazon DynamoDB now supports table deletion protection

The most suitable solution for the company’s compliance policy is to enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created. This solution has the least operational overheadbecause it uses a predefined rule that is already available in AWS Config, which is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. The restricted-ssh rule checks whether security groups that are in use have inbound rules that allow SSH from 0.0.0.0/0 addresses, and reports them as noncompliant1. Users can configure the rule to send notifications to an Amazon SNS topic when a noncompliant change occurs, and subscribe to the topic to receive alerts via email, SMS, or other methods2.

The other options are not correct because they either have more operational overhead or do not meet the requirements. Writing an AWS Lambda script that monitors security groups for SSH being open to 0.0.0.0/0 addresses and creates a notification every time it finds one is not correct because it requires custom code development and maintenance, which adds complexity and cost to the solution. Creating an IAM role with permissions to globally open security groups and network ACLs, and creating an Amazon SNS topic to generate a notification every time the role is assumed by a user is not correct because it does not prevent or detect the creation of noncompliant rules by other users or roles, and it does not address the existing rules that may violate the policy. Configuring a service control policy (SCP) that prevents non-administrative users from creating or editing security groups, and creating a notification in the ticketing system when a user requests a rule that needs administrator permissions is not correct because it does not provide an automated solution for the policy enforcement and notification, and it may limit the flexibility and productivity of the users.

This option is the most cost-effective and simple way to enable SFTP access to the S3 data lake. AWS Transfer Family is a fully managed service that supports secure file transfers over SFTP, FTPS, and FTPprotocols. You can create an SFTP-enabled server with a public endpoint and associate it with your S3 bucket. You can also use AWS Identity and Access Management (IAM) roles and policies to control access to your S3 data lake. The service scales automatically to handle any volume of file transfers and provides high availability and durability. You do not need to provision, manage, or patch any servers or load balancers.

Option B is not correct because Amazon S3 File Gateway is not an SFTP server. It is a hybrid cloud storage service that provides a local file system interface to S3. You can use it to store and retrieve files as objects in S3 using standard file protocols such as NFS and SMB. However, itdoes not support SFTP protocol, and it requires deploying a file gateway appliance on-premises or on EC2.

Option C is not cost-effective or scalable because it requires launching and managing an EC2 instance in a private subnet and setting up a VPN connection for the new partner. This would incur additional costs for the EC2 instance, the VPN connection, and the data transfer. It would also introduce complexity and security risks to the solution. Moreover, it would require running a cron job script on the EC2 instance to upload files to the S3 data lake, which is not efficient or reliable.

Option D is not cost-effective or scalable because it requires launching and managing multiple EC2 instances in a private subnet and placing a NLB in front of them. This would incur additional costs for the EC2 instances, the NLB, and the data transfer. It would also introduce complexity and security risks to the solution. Moreover, it would require running a cron job script on the EC2 instances to upload files to the S3 data lake, which is not efficient or reliable. References:

What Is AWS Transfer Family?

What Is Amazon S3 File Gateway?

What Is Amazon EC2?

[What Is Amazon Virtual Private Cloud?]

[What Is a Network Load Balancer?]

To ensure that the shopping cart data is preserved at all times, a solutions architect should configure Amazon ElastiCache for Redis to cache catalog data from Amazon DynamoDB and shopping cart data from the user’s session. This solution has the following benefits:

It offers the lowest possible latency from the application, as ElastiCache for Redis is a blazing fast in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications1.

It scales with traffic volume, as ElastiCache for Redis supports horizontal scaling by adding more nodes or shards to the cluster, and vertical scaling by changing the node type2.

It ishighly available, as ElastiCache for Redis supports replication across multiple Availability Zones and automatic failover in case of a primary node failure3.

It preserves user session data even if the user is disconnected and reconnects, as ElastiCache for Redis can store session data, such as user login information and shopping cart contents, in a persistent and durable manner using snapshots or AOF (append-only file) persistence4.

The most cost-effective solution for the online video game company is to configure a Network Load Balancer with the required protocol and ports for the internet traffic and specify the EC2 instances as the targets. This solution will enable the company to handle millions of UDP requests per second with ultra-low latency and high performance.

A Network Load Balancer is a type of Elastic Load Balancing that operates at the connection level (Layer 4) and routes traffic to targets (EC2 instances, microservices, or containers) within Amazon VPC based on IP protocol data. A Network Load Balancer is ideal for load balancing of both TCP and UDP traffic, as it is capable of handling millions of requests per second while maintaining high throughput at ultra-low latency. A Network Load Balancer also preserves the source IP address of the clients to the back-end applications, which can be useful for logging or security purposes1.

This option is the most cost-effective and scalable way to process the files uploaded to S3. AWS CloudTrail is used to log API calls, not to trigger actions based on them. AWS AppSync is a service for building GraphQL APIs, not for processing files. Amazon Kinesis Data Streams is used to ingest and process streaming data, not to send data to S3. Amazon SNS is a pub/sub service that can be used to notify subscribers of events, not to process files. References:

Using AWS Lambda with Amazon S3

AWS CloudTrail FAQs

What Is AWS AppSync?

[What Is Amazon Kinesis Data Streams?]

[What Is Amazon Simple Notification Service?]

AWS Glue is a serverless data integration service that can crawl, catalog, and prepare data for analysis. AWS Glue can automatically discover the schema and partitioning of the data stored in Apache Parquet format in S3, and create a table in the AWS Glue Data Catalog. Amazon Athena is a serverless interactive query service that can run SQL queries directly on data in S3, without requiring any data loading or transformation. Athena can use the table metadata from the AWS Glue Data Catalog to query the data in S3. By using AWS Glue and Athena, you can analyze the log files in S3 most cost-effectively, as you only pay for the resources consumed by the crawler and the queries, and you do not need to provision or manage any servers or clusters.

These two steps will meet the requirements because they will provide high availability and scalability for the web application without rewriting it. Amazon EC2 Auto Scaling allows you to automatically adjust the number of EC2 instances in response to changes in demand. By configuring Auto Scaling with multiple Availability Zones in private subnets, you can ensure that your web application is distributed across isolated and fault-tolerant locations, and that your instances are not directly exposed to the internet. An Application Load Balancer operates at the application layer and distributes incoming web traffic across multiple targets, such as EC2 instances, containers, or Lambda functions. By configuring an Application Load Balancer in a public subnet, you can enable your web application to handle requests from the internet and route them to the appropriate targets in the private subnets.

The solution that will meet the requirements is to create an AWS Lambda function that uses Amazon Rekognition to detect unwanted content, and create a Lambda function URL that the web application invokes when new photos are uploaded. This solution does not involve training a machine learning model, as Amazon Rekognition is a fully managed service that provides pre-trained computer vision models for image and video analysis. Amazon Rekognition can detect unwanted content such as explicit or suggestive adult content, violence, weapons, drugs, and more. By using AWS Lambda, the company can create a serverless function that can be triggered by an HTTP request from the web application. The Lambda function can use the Amazon Rekognition API to analyze the uploaded photos and return a response indicating whether they contain unwanted content or not.

The other solutions are not as effective as the first one because they either involve training a machine learning model, do not support image analysis, or do not work with photos. Creating and deploying a model by using Amazon SageMaker Autopilot involves training a machine learning model, which is not required for the scenario. Amazon SageMaker Autopilot is a service that automatically creates, trains, and tunes the best machine learning models for classification or regression based on the data provided by the user. Creating an Amazon CloudFront function that uses Amazon Comprehend to detect unwanted content does not support image analysis, as Amazon Comprehend is a natural language processing service that analyzes text, not images. Amazon Comprehend can extract insights and relationships from text such as language, sentiment, entities, topics, and more. Creating an AWS Lambda function that uses Amazon Rekognition Video todetect unwanted content does not work with photos, as Amazon Rekognition Video is designed for analyzing video streams, not static images. AmazonRekognition Video can detect activities, objects, faces, celebrities, text, and more in video streams.

The correct solution is to provision a separate AWS KMS key for each customer and encrypt the data server-side. This way, the company can use the S3 encryption feature to protect the data at rest and delegate the control of the encryption keys to the customers. The customers can then use their own IAM roles to access and decrypt their data. The company employees will not be able to access the data because they are not authorized by the KMS key policies. The other options are incorrect because:

Option A and D are using ACM certificates to encrypt the data client-side. This is not a recommended practice for S3 encryption because it adds complexity and overhead to the encryption process. Moreover, the company will have to manage the certificates and their policies for each customer, which is not scalable and secure.

Option B is using a separate KMS key for each customer, but it is using the S3 bucket policy to control the decryption access. This is not a secure solution because the bucket policy applies to the entire bucket, not to individual objects. Therefore, the customers will be able to access and decrypt each other’s data if they have the permission to list the bucket contents. The bucket policy also overrides the KMS key policy, which means the company employees can access the data if they have the permission to use the KMS key.

Recycle Bin is a data recovery feature that enables you to restore accidentally deleted Amazon EBS snapshots and EBS-backed AMIs. When using Recycle Bin, if your resources are deleted, they are retained in the Recycle Bin for a time period that you specify before being permanently deleted. You can restore a resource from the Recycle Bin at any timebefore its retention period expires. This solution has the least operational overhead, as you do not need to create, copy, or upload any additional resources. You can also manage tags and permissions for AMIs in the Recycle Bin. AMIs in the Recycle Bin do not incur any additional charges. References:

Recover AMIs from the Recycle Bin

Recover an accidentally deleted Linux AMI

To provide the HPC cluster with consistent sub-millisecond latency and high-throughput access to the data on the Snowball Edge Storage Optimized devices, a solutions architect should configure an Amazon FSx for Lustre file system, and integrate it with an Amazon S3 bucket. This solution has the following benefits:

It allows the HPC cluster to access the data on the Snowball Edge devices using a POSIX-compliant file system that is optimized for fast processing of large datasets1.

It enables the data to be imported from the Snowball Edge devices into the S3 bucket using the AWS Snow Family Console or the AWS CLI2. The data can then be accessed from the FSx for Lustre file system using the S3 integration feature3.

It supports high availability and durability of the data, as the FSx for Lustre file system can automatically copy the data to and from the S3 bucket3. The data can also be accessed from other AWS services or applications using the S3 API4.

The solution that will meet the requirements is to run the application on Amazon Elastic Container Service (Amazon ECS) as microservices with service auto scaling. This solution will allow the application to be flexible, scalable, and gradually improved, as well as minimize application downtime. By breaking down the monolithic application into microservices, the company can decouple the modules and update them independently, without affecting the whole application. By running the microservices on Amazon ECS, the company can leverage the benefits of containerization, such as portability, efficiency, and isolation. By enabling service auto scaling, the company can adjust the number of containers running for each microservice based on demand, ensuring optimal performance and cost. Amazon ECS also supports various deployment strategies, such as rolling update or blue/green deployment, that can reduce or eliminate downtime during updates.

The other solutions are not as effective as the first one because they either do not meet the requirements or introduce new challenges. Running the application on AWS Lambda as a single function with maximum provisioned concurrency will not meet the requirements, as it will not break down the monolith into microservices, nor will it reduce the complexity of maintenance. Lambda functions are also limited by execution time (15 minutes), memory size (10 GB), and concurrency quotas, which may not be sufficient for the report generation application. Running the application on Amazon EC2 Spot Instances as microservices with a Spot Fleet default allocation strategy will not meet the requirements, as it will introduce the risk of interruptions due to spot price fluctuations. Spot Instances are not guaranteed to be available or stable, and may be reclaimed by AWS at any time with a two-minute warning. This may cause report generation to fail or restart from scratch. Running the application on AWS Elastic Beanstalk as a single application environment with an all-at-once deployment strategy will not meet the requirements, as it will not break down the monolith into microservices, nor will it minimize application downtime. The all-at-once deployment strategy will deploy updates to all instances simultaneously, causing a brief outage for the application.

The company wants to reduce the compute costs and maintain service latency for its Lambda functions that process a constantly increasing number of messages in a message queue. The Lambda functions use CPU intensive code to process the messages. To meet these requirements, a solutions architect should recommend the following solution:

Configure provisioned concurrency for the Lambda functions. Provisioned concurrency is the number of pre-initialized execution environments that are allocated to the Lambda functions. These execution environments are prepared to respond immediately to incoming function requests, reducing the cold start latency. Configuring provisioned concurrency also helps to avoid throttling errors due to reaching the concurrency limit of the Lambda service.

Increase the memory according to AWS Compute Optimizer recommendations. AWS Compute Optimizer is a service that provides recommendations for optimal AWS resource configurations based on your utilization data. By increasing the memory allocated to the Lambda functions, you can also increase the CPU power and improve the performance of your CPU intensive code.AWS Compute Optimizer can help you find the optimal memory size for your Lambda functions based on your workload characteristics and performance goals.

This solution will reduce the compute costs by avoiding unnecessary over-provisioning of memory and CPU resources, and maintain service latency by using provisioned concurrency and optimal memory size for the Lambda functions.

AWS DataSync is a data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS storage services over the internet or AWS Direct Connect1. AWS DataSync can transfer data to Amazon FSx for Windows File Server, which is a fully managed file system that is accessible over the industry-standard Server Message Block (SMB) protocol. Amazon FSx for Windows File Server is builton Windows Server, delivering a wide range of administrative features suchas user quotas, end-user file restore, and Microsoft Active Directory (AD) integration2. This solution meets the requirements of the question because:

It can migrate more than 100 TB of data to AWS within a reasonable time frame, as AWS DataSync is optimized for high-speed and efficient data transfer1.

It can preserve the intricate directory structure and the millions of small files stored in deep hierarchies of subfolders, as AWS DataSync can handle complex file structures and metadata, such as file names, permissions, and timestamps1.

It can avoid changing the applications to access the data after migration, as Amazon FSx for Windows FileServer supports the same SMB protocol and Windows Server features that the company’s on-premises file storage uses2.

It can reduce the operational overhead, as AWS DataSync and Amazon FSx for Windows File Server are fully managed services that handle the tasks of setting up, configuring, and maintaining the data transfer and the file system12.

Purchasing a Compute Savings Plan for the minimum baseline usage ensures cost savings. Using On-Demand Instances for peak times ensures flexibility without over-provisioning. S3 Lifecycle policies enable automatic transition of objects to lower-cost storage classes such as S3 Glacier orS3 Intelligent-Tiering, further reducing storage costs.

Option B (Amazon FSx for Lustre): FSx for Lustre is optimized for high-performance file systems required by HPC workloads, scaling to millions of IOPS and supporting parallelized data access.

Option E (Cluster Placement Group with Auto Scaling): A cluster placement group ensures low-latency communication between EC2 instances, critical for HPC workloads. Amazon EMR simplifies running large-scale analytics jobs.

Amazon FSx for Lustre Documentation,AWS Placement Groups Documentation

Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations around the world, providing low latency and high transfer speeds to users accessing the content. Adding a CloudFront distribution in front of the S3 bucket will cache the static website's content at edge locations around the world, decreasing latency for users accessing the website. This solution is also cost-effective as it only charges for the data transfer and requests made by users accessing the content from the CloudFront edge locations. Additionally, this solution provides scalability and reliability benefits as CloudFront can automatically scale to handle increased demand and provide high availability for the website.

To maximize resiliency and scalability, the best solution is to use an Amazon SQS queue as a destination for the jobs. This decouples the primary server from the compute nodes, allowing them to scale independently. This also helps to prevent job loss in the event of a failure. Using an Auto Scaling group of Amazon EC2 instances for the compute nodes allows for automatic scaling based on the workload. In this case, it's recommended to configure the Auto Scaling group based on the size of the Amazon SQS queue, which is a better indicator of the actual workload than the load on the primary server or compute nodes. This approach ensures that the application can handle variable workloads, while also minimizing costs by automatically scaling up or down the compute nodes as needed.

Enforce column-level authorization with Amazon QuickSight and AWS Lake Formationhttps://aws.amazon.com/blogs/big-data/enforce-column-level-authorization-with-amazon-quicksight-and-aws-lake-formation/

Concurrency Scaling allows Amazon Redshift to add transient capacity automatically to handle bursts in concurrent queries. This is ideal for scenarios with predictable surge periods, such as end-of-month reporting.

It improves performance without manual resizing or cluster modification and without affecting availability. Resizing requires manual intervention and potential downtime, and Redshift Spectrum is designed for querying data in S3, not for solving concurrency issues.

CloudFront Signed Cookies:

CloudFront signed cookies allow the company to provide access to premium users while maintaining a single, consistent URL.

This approach is simpler and more scalable than managing presigned URLs for each file.

Incorrect Options Analysis:

Option A: Using EC2 and EBS increases complexity and cost.

Option B: Managing presigned URLs for each file is not scalable.

Option D: CloudFront signed URLs require unique URLs for each file, which does not meet the requirement for a single URL.

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

To protect against a Regional failure, the application must be deployed in multiple Regions. Amazon Route 53 DNS failover with health checks allows traffic to be automatically routed to a healthy Region when the primary becomes unavailable, meeting high availability and disaster recovery requirements.

Amazon Kinesis Data Streams in on-demand mode is purpose-built for real-time ingestion of streaming data and scales automatically with traffic, which is ideal for fluctuating workloads like clickstream data.

Combined with AWS Lambda, which scales concurrently based on incoming events, this setup ensures efficient, real-time processing with minimal configuration and cost overhead.

Option B involves Firehose, which is not optimal for low-latency processing. Option C is incorrect as Kinesis Video Streams is designed for video data, not clickstream. Option D introduces Flink, which adds unnecessary complexity when Lambda suffices.

A. Create an Amazon API Gateway REST API. Configure the method to use the Lambda function. Enable IAM authentication on the API. This option is the most operationally efficient as it allows you to use API Gateway to handle the HTTPS endpoint and also allows you to useIAM to authenticate the calls to the microservice. API Gateway also provides manyadditional features such as caching, throttling, and monitoring, which can be useful for a microservice.

AWS Budgets allows you to set custom cost and usage budgets. When actual or forecasted usage exceeds the threshold, AWS Budgets can automatically send alerts to an Amazon SNS topic. You can use AWS Cost Explorer in parallel for visual tracking of spending. This solution requires no code and has minimal operational overhead.

To ensure that only specific AWS Lambda functions can read from or write to an Amazon SQS queue, useresource-based policiesattached directly to the SQS queue. These policies explicitly grant permissions to the IAM roles used by the Lambda functions. Additionally, the Lambda execution roles must also have IAM policies that permit SQS access. This dual-layer approach follows the AWS security best practice of granting least privilege access and ensures that no other service or entity can interact with the queue.

This is a common and supported pattern documented in theAmazon SQS Developer Guide, where resource-based policies restrict access at the queue level while IAM roles control permissions at the function level.

Key Problem:

Delayed Inventory table updates during peak sales.

DynamoDB Streams and Lambda processing require optimization.

Analysis of Options:

Option A:Adding a GSI is unrelated to the issue. It does not address stream processing delays or capacity issues.

Option B:Optimizing batch size reduces latency and allows the Lambda function to process larger chunks of data at once, improving performance during peak load.

Option C:Increasing write capacity for the Inventory table ensures that it can handle the increased volume of updates during peak times.

Option D:Increasing read capacity for the Orders table does not directly resolve the issue since the problem is with updates to the Inventory table.

Option E:Increasing Lambda timeout only addresses longer processing times but does not solve the underlying throughput problem.

AWS References:

DynamoDB Streams Best Practices

Provisioned Throughput in DynamoDB

AWS App2Container is a command-line tool that helps containerize existing Java and .NET applications running on-premises or on virtual machines, with minimal refactoring. By using Amazon EKS, the company benefits from a managed Kubernetes service, which significantly reduces the operational overhead compared to managing Kubernetes on EC2.

Amazon RDS for SQL Server provides a fully managed SQL Server database engine with automated backups, patching, and high availability through Multi-AZ deployments. This eliminates the need for the company to manage database infrastructure and software manually.

Overall, option A provides the most streamlined and managed approach for both the application and database layers with the least operational effort.

Comprehensive and Detailed Explanation:

Amazon ECS on AWS Fargate: AWS Fargate is a serverless compute engine for containers that works with Amazon ECS. It allows you to run containers without managing servers or clusters.

Amazon EFS: Amazon Elastic File System (EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It can be mounted to ECS tasks running on Fargate, allowing containers to access a shared file system with standard file system semantics, including OS-level permissions.

Using API Gateway with API keys provides secure access control. Amazon SQS allows asynchronous decoupling between frontend and backend, ensuring that backend processing can scale independently. AWS Lambda reading from SQS ensures scalable, event-driven processing with minimal operational management. This architecture is resilient and decoupled.

Comprehensive and Detailed Explanation:

For a MySQL database experiencing high write operations, using Amazon RDS with Provisioned IOPS (io1 or io2) SSD storage is recommended to achieve consistent and low-latency performance. Provisioned IOPS allows you to specify a desired IOPS rate, which is crucial for write-intensive workloads.

Monitoring write operation metrics through Amazon CloudWatch enables you to observe performance and adjust the provisioned IOPS as needed to meet application demands.

Amazon EFS is a fully managed, scalable file storage service that can be accessed concurrentlyby thousands of EC2 instances. It supports General Purpose performance mode for latency-sensitive use cases and provides high availability and durability across multiple Availability Zones with minimal changes to application code.

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

Detailed Explanation:

A. IAM identity provider:Does not support centralized management across multiple accounts.

B. AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.

C. IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D. Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.

Amazon Kinesis allows real-time ingestion of game events at scale, while Amazon DynamoDB provides millisecond-latency access to user data, automatically scaling with demand. This combination ensures real-time processing and fast data retrieval without managing infrastructure.

Comprehensive and Detailed Explanation:

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of a baseline environment, or landing zone, that includes:

Service Control Policies (SCPs): These are used to manage permissions across AWS Organizations, allowing you to set permission guardrails. SCPs can restrict access to specific AWS services and actions, helping enforce security best practices.

Multi-Factor Authentication (MFA): AWS Control Tower can enforce MFA for the root user across all accounts, enhancing security.

Centralized Governance: It offers centralized logging and monitoring, making it easier to manage and audit multiple AWS accounts.

To handle temporary high workloads, Amazon RDS provisioned IOPS can be increased to meet the expected spike in database throughput.

Amazon EFS Elastic throughput mode is ideal for workloads with unpredictable or spiky traffic patterns. It automatically scales throughput based on the file system's size and activity, which is more effective than Bursting throughput during high sustained activity like a marketing campaign.

Multi-AZ improves availability but does not directly address performance. Migrating to PostgreSQL during a short campaign period introduces unnecessary complexity.

Amazon SQS provides durable, decoupled message storage for distributed systems. Using SQS as a job queue enables each EC2 instance to process a message independently. Scaling the Auto Scaling group based on the SQS queue length ensures parallelism and elasticity, aligning compute resources with workload volume.

Key Requirements:

Serverless architecture.

Handle traffic bursts with high availability.

Process orders asynchronouslyin the order they are received.

Analysis of Options:

Option A:Amazon SNS delivers messages to subscribers. However, SNS does not ensure ordering, making it unsuitable for FIFO (First In, First Out) requirements.

Option B:Amazon SQS FIFO queues support ordering and ensure messages are delivered exactly once. AWS Lambda functions can be triggered by SQS to process messages asynchronously and efficiently. This satisfies all requirements.

Option C:Amazon SQS standard queues do not guarantee message order and have "at-least-once" delivery, making them unsuitable for the FIFO requirement.

Option D:Similar to Option A, SNS does not ensure message ordering, and using AWS Batch adds complexity without directly addressing the requirements.

AWS References:

Amazon SQS FIFO Queues

AWS Lambda and SQS Integration

Many applications, including those built on modern serverless architectures, can have a large number of open connections to the database server and may open and close database connections at a high rate, exhausting database memory and compute resources. Amazon RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability. (https://aws.amazon.com/pt/rds/proxy/)

These options are operationally efficient because they use Amazon RDS read replicas to offload the reporting workload from the primary DB instance and avoid affecting any documentmodifications or the addition of new documents1. They also use Reserved Instances for the primary DB instance to reduce costs and On-Demand or Aurora Replicas for the read replicas to scale as needed. Option A is less efficient because it uses Amazon S3 Glacier Flexible Retrieval,which is a cold storage class that has higher retrieval costs and longer retrieval times than Amazon S3 Standard. It also uses EventBridge rules to invoke the job nightly, which does not meet the requirement of processing incoming data files as soon as possible. Option D is less efficient because it uses AWS Lambda to process the files, which has a maximum execution time of 15 minutes per invocation, which might not be enough for processing each file that needs 3-8 minutes. It also uses S3 event notifications to invoke the Lambda function when the files arrive, which could cause concurrency issues if there are thousands of small data files arriving periodically. Option E is less efficient because it uses Amazon DynamoDB, which is a NoSQL database service that does not support relational queries, which are needed for generating the reports. It also uses fixed write capacity, which could cause throttling or underutilization depending on the incoming data files.

To grant the necessary permissions to an AWS Lambda function to upload files to Amazon S3, a solutions architect should create an IAM execution role with the required permissions andattach the IAM role to the Lambda function. This approach follows the principle of least privilege and ensures that the Lambda function can only access the resources it needs to perform its specific task.

Amazon DocumentDB (with MongoDB compatibility) is a fast, reliable, and fully managed database service. Amazon DocumentDB makes it easy to set up, operate, and scale MongoDB-compatible databases in the cloud. With Amazon DocumentDB, you can run the same application code and use the same drivers and tools that you use with MongoDB.

https://docs.aws.amazon.com/documentdb/latest/developerguide/what-is.html

Use AWS Batch on Amazon EC2. AWS Batch is a fully managed batch processing service that can be used to easily run batch jobs on Amazon EC2 instances. It can scale the number of instances to match the workload, allowing the batch job to be completed in the desired time frame with minimal operational overhead.

Using AWS Lambda with Amazon API Gateway - AWS Lambda

https://docs.aws.amazon.com/lambda/latest/dg/services-apigateway.html

AWS Lambda FAQs

https://aws.amazon.com/lambda/faqs/

By configuring scheduled scaling, the solutions architect can set the Auto Scaling group to automatically scale up to the desired compute level at a specific time (IAM) when the batch job starts and then automatically scale down after the job is complete. This will allow the desired EC2 capacity to be reached quickly and also help in reducing the cost.

This option is the most efficient because it uses Amazon SQS, which is a fully managed message queuing service that lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available1. It also uses an SQS message queue to asynchronously dispatch requests to the different application tiers, which decouples the image upload process from the thumbnail generation process and enables scalability and reliability. It also alerts the user through an application message that the image was received, which provides a faster response time to the user than waiting for the thumbnail generation to complete. Option A is less efficient because it uses a custom AWS Lambda function to generate the thumbnail and alert the user, which is a way to run code without provisioning or managing servers. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses the image upload process as an event source to invoke the Lambda function, which could cause concurrency issues if there are many images uploaded at once. Option B is less efficient because it uses AWS Step Functions, whichis a fully managed service that provides a graphical console to arrange and visualize the components of your application as a series of steps2. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses Step Functions to handle the orchestration between the application tiers and alert the user when thumbnail generation is complete, which could introduce additional complexity and latency. Option D is less efficient because it uses Amazon SNS, which is a fully managed messaging service that enables you to send messages or notifications directly to users with SMS text messages or email3. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses SNS notification topics and subscriptions to generate the thumbnail after the image upload is complete and message the user’s mobile app by way of a push notification after thumbnail generation is complete, which could introduce additional complexity and latency.

This option is the most efficient because it uses Amazon CloudFront, which is aweb servicethat speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users1. It also uses CloudFront to handle all the requests to the S3 bucket, which reduces the S3 costs by caching the content at the edge locations and serving it from there. It also allows authorized external users to access the documents in milliseconds, as CloudFront delivers the content with low latency and high data transfer rates. This solution meets the requirement of continuing paying to store the data but saving on its total S3 costs. OptionA is less efficient because it configures the S3 bucket to be a Requester Pays bucket, which is a way to shift the cost of data transfer and requests from the bucketowner to the requester2. However, this does not reduce the total S3 costs, as the company still has to pay for storing the data and for any requests made by its own users. Option B is less efficient because it changes the storage tier to S3 Standard for all existing andfuture objects, which is a way to store frequently accessed data withhighdurability and availability3. However, this does not reduce the total S3 costs, as S3 Standard has higher storage costs than S3 Standard-IA. Option C is less efficient because it turns on S3 Transfer Acceleration for the S3 bucket, which is a way to speed uptransfers into and out of an S3 bucket by routing requests through CloudFront edge locations4. However, this does not reduce the total S3 costs, as S3 Transfer Acceleration has additional charges for data transfer and requests.

https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.htmlhttps://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html

- First 30 days- data access every morning ( predictable and frequently) – S3 standard - After 30 days, accessed 4 times a year – S3 infrequently access - Data preserved- S3 Gllacier Deep Archive

This solution meets the requirement of reducing the number of database reads while ensuring high availability for a batch application that consists of a backend with multiple Amazon RDS databases. Amazon RDS read replicas are copies of the primary database instance that can serve read-only traffic. You can create one or more read replicas for a primary database instance and connect to them using a special endpoint. Read replicas can improve the performance and availability of your application by offloading read queries from the primary database instance.

Option B is incorrect because using Amazon ElastiCache for Redis can provide a fast, in-memory data store that can cache frequently accessed data, but it does not support replication from Amazon RDS databases. Option C is incorrect because using Amazon Route 53 DNS caching can improve the performance and availability of DNS queries, but it does not reduce the number of database reads. Option D is incorrect because using Amazon ElastiCache forMemcached can provide a fast, in-memory data store that can cache frequently accessed data, but it does not support replication from Amazon RDS databases.

 This option is the most efficient because it uses Amazon CloudFront, which is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users1. It also uses a CloudFront distribution for the static content, which reduces the load on the EC2 instances and improves the performance and availability of the website. It also uses an Auto Scaling group to launchnew instances based on network traffic, which automatically adjusts the compute capacity of your EC2 instances based on load or aschedule2. This solution meets the requirement of ensuring that all the requests are processed successfully during events for the launch of new products. Option A is less efficient because it uses a CloudFront distribution for the dynamic content, which is not necessary as the dynamic content is already handled by the API on the EC2 instances. It also increases the number of EC2 instances to handle the increase in traffic, which could incur higher costs and complexity than using an Auto Scaling group. Option C is less efficient because it uses an Amazon ElastiCache instance in front of the ALB to reduce traffic for the API to handle, which is a way to provide afully managed in-memory data store service that provides sub-millisecond latency for caching and data processing3. However, this could introduce additional complexity and latency, and does not scale automatically based on network traffic. Option D is less efficient because it uses an Amazon Simple Queue Service (Amazon SQS) queue to receive requests from the website for later processing by the EC2 instances, which is a way to send, store, and receive messages between software components at any volume. However, this does not provide a faster response time to the users as they have to wait for their requests to be processed by the EC2 instances.

This answer is correct because it provides a resilient and durable replacement for the on-premises file share that is compatible with a serverless web application. Amazon S3 is a fully managed object storage service that can store any amount of data and serve it over the internet. It supports the following features:

Resilience: Amazon S3 stores data across multiple Availability Zones within a Region, and offers 99.999999999% (11 9’s) of durability. It also supports cross-region replication, which enables automatic and asynchronous copying of objects across buckets in different AWS Regions.

Durability: Amazon S3 encrypts data at rest using server-side encryption with either Amazon S3-managed keys (SSE-S3), AWS KMS keys (SSE-KMS), or customer-provided keys (SSE-C). It also supports encryption in transit using SSL/TLS. Amazon S3 also provides data protection features such as versioning, which keeps multiple versions of an object in the same bucket, and MFA Delete, which requires additional authentication for deleting an object version or changing the versioning state of a bucket.

Performance: Amazon S3 delivers high performance and scalability for serving static and dynamic web content. It also supports features such as S3 Transfer Acceleration, which speeds up data transfers by routing requests to AWS edge locations, and S3 Select, which enables retrieving only a subset of data from an object by using simple SQL expressions.

The S3 Standard-Infrequent Access (S3 Standard-IA) storage class is suitable for storing images that are rarely accessed, but must be immediately available when needed. It offers the same high durability, throughput, and low latency as S3 Standard, but with a lower storage cost per GB and a higher per-request cost.

AWS Storage Gateway Volume Gateway provides two configurations for connecting to iSCSI storage, namely, stored volumes and cached volumes. The stored volume configuration stores the entire data set on-premises and asynchronously backs up the data to AWS. The cached volume configuration stores recently accessed data on-premises, and the remaining data is stored in Amazon S3. Since the company wants only its recently accessed data to remain stored locally, the cached volume configuration would be the most appropriate. It allows the company to keep frequently accessed data on-premises and reduce the need for scaling its iSCSI storage while still providing access to all data through the AWS cloud. This configuration also provides low-latency access to frequently accessed data and cost-effective off-site backups for less frequently accessed data.

https://docs.amazonaws.cn/en_us/storagegateway/latest/vgw/StorageGatewayConcepts.html#storage-gateway-cached-concepts

Restricting inbound access to the web servers to only port 443, which is used for HTTPS traffic, and allowing access from any IP address (0.0.0.0/0), since the application is public and accessible for global customers.

Restricting inbound access to the DB instance to only port 3306, which is used for MySQL traffic, and allowing access only from the security group of the web servers, which creates a secure connection between the two tiers and prevents unauthorized access to the database.

Restricting outbound access to the minimum required for both tiers, which is not specified in the question but can be assumed to be similar to the inbound rules.

Configure an EC2 Auto Scaling scheduled scaling policy based on the monthly schedule is the best option because it allows for the proactive scaling of the EC2 instances before the monthly batch run begins. This will ensure that the application is able to handle the increased workload without experiencing downtime. The scheduled scaling policy can be configured to increase the number of instances in the Auto Scaling group a few hours before the batch run and then decrease the number of instances after the batch run is complete. This will ensure that the resources are available when needed and not wasted when not needed. The most appropriate solution to handle the increased workload during the monthly batch run and avoid downtime would be to configure an EC2 Auto Scaling scheduled scaling policy based on the monthly schedule.

https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html