Amazon Web Services SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Exam Practice Test

A function URL is a unique identifier for a Lambda function that can be used to invoke the function over HTTPS. It is composed of the API endpointof the AWS Region where the function is deployed, and the name or ARN of the function1. By creating a function URL for the Lambda function, the solution can make the Lambda function available for the third party to call with the most operational efficiency.

B. Deploy an Application Load Balancer (ALB) in front of the Lambda function. Provide the ALB URL to the third party for the webhook. This solution will not meet the requirement of the most operational efficiency, as it involves creating and managing an additional resource (ALB) that is not necessary for invoking a Lambda function over HTTPS2.

C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Attach the topic to the Lambda function. Provide the public hostname of the SNS topic to the third party for the webhook. This solution will not work, as Amazon SNS topics do not have public hostnames that can be used as webhooks. SNS topics are used to publish messages to subscribers, not to receive messages from external sources3.

D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Attach the queue to the Lamb-da function. Provide the public hostname of the SQS queue to the third party for the webhook. This solution will not work, as Amazon SQS queues do not have public hostnames that can be used as webhooks. SQS queues are used to send, store, and receive messages between AWS services, not to receive messages from external sources.

Reference URL: https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html

To ingest and process high-volume streaming data with the least operational overhead, Amazon Kinesis Data Firehose is a suitable solution. Amazon Kinesis Data Firehose can capture, transform, anddeliver streaming data to Amazon S3 or other destinations. Amazon Kinesis Data Firehose can scale automatically to match the throughput of the data and handle any amount of data. Amazon Kinesis Data Firehose is also a fully managed service that does not require any servers to provision or manage.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html

AWS Backup is a fully managed service that enables users to centralize and automate the backup of data across AWS services. It can create and manage backup plans that specify the frequency and retention period of backups. It can also assign backup resources to backup vaults, which are containers that store backup data1. By using AWS Backup, the solution can ensure that the RDS backups are consistent, restorable, and retained for a minimum period of 2 years.

B. Configure a backup window for the RDS DB instances for daily snapshots. Assign a snapshot retention policy of 2 years to each RDS DB instance. Use Amazon Data Lifecycle Manager (Amazon DLM) to schedule snapshot deletions. This solution will not meet the requirement of ensuring that the backupsare consistent and restorable, as Amazon DLM is not compatible with RDS snapshots and cannot be used to schedule snapshot deletions2.

C. Configure database transaction logs to be automatically backed up to Amazon CloudWatch Logs with an expiration period of 2 years. This solution will not meet the requirement of ensuring that the backups are consistent and restorable, as database transaction logs are not sufficient to restore a database to a point in time. They only capture the changes made to the database, not the full state of the database3.

D. Configure an AWS Database Migration Service (AWS DMS) replication task. Deploy a replication instance, and configure a change data capture (CDC) task to stream database changes to Amazon S3 as the target. Configure S3 Lifecycle policies to delete the snapshots after 2 years. This solution will not meet the requirement of ensuring that the backups are consistent and restorable, as AWS DMS is a service that helps users migrate databases to AWS, not back up databases. It also requires additional resources and configuration, such as replication instances and CDC tasks.

Reference URL: https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html

it allows the company to keep the CloudTrail logs and query them at any time. By using the CloudTrail event history in the centralized account, the company can view, filter, and download recent API activity across multiple AWS accounts. By creating an Amazon Athena table from the CloudTrail event history, the company can use a serverless interactive query service that makes it easy to analyze data in S3 using standard SQL. By querying the CloudTrail logs from Athena, the company can gain insights into user activity and resource changes. References:

Viewing Events with CloudTrail Event History

Querying AWS CloudTrail Logs

Amazon Athena

This answer is correct because it meets the requirements of blocking the illegitimate incoming requests in a way that has a minimal impact on legitimate users. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can associate AWS WAF with an ALB to protect the web application from malicious requests. You can configure a rate-limiting rule in AWS WAF to track the rate of requests for each originating IP address and block requests from an IP addressthat exceeds a certain limit within a five-minute period. This way, you can mitigate potential DDoS attacks and improve the performance of your website.

AWS Organizations is a service that helps users centrally manage and govern multiple AWS accounts. It allows users to create organizational units (OUs) to group accounts based on business needs or other criteria. It also allows users to define and attach service control policies (SCPs) to OUs or accounts to restrict the actions that can be performed by the accounts1. By creating a new organization in AWS Organizations with all features turned on, the solution can consolidate and manage the new AWS accounts for different business units.

AWS IAM Identity Center (formerly known as AWS Single Sign-On) is a service that provides single sign-on access for all of your AWS accounts and cloud applications. It connects with Microsoft Active Directory through AWS Directory Service to allow users in that directory to sign in to a personalized AWS access portal using their existing Active Directory user names and passwords. From the AWS access portal, users have access to all the AWS accounts and cloudapplications that they have permissions for2. By setting up IAM Identity Center in the organization and integrating it with the company’s corporate directory service, the solution can authenticate access to these AWS accounts using a centralized corporate directory service.

B. Set up an Amazon Cognito identity pool. Configure AWS IAM Identity Center (AWS Single Sign-On) to accept Amazon Cognito authentication. This solution will not meet the requirement of authenticating access to these AWS accounts by using a centralized corporate directory service, as Amazon Cognito is a service that provides user sign-up,sign-in, and access control for web and mobile applications, not for corporate directory services3.

C. Configure a service control policy (SCP) to manage the AWS accounts. Add AWS IAM Identi-ty Center (AWS Single Sign-On) to AWS Directory Service. This solution will not work, as SCPs are used to restrict the actions that can be performed by the accounts in an organization, not to manage theaccounts themselves1. Also, IAM Identity Center cannot be added to AWS Directory Service, as it is a separate service that connects with Microsoft Active Directory through AWS Directory Service2.

D. Create a new organization in AWS Organizations. Configure the organization’s authentication mechanism to use AWS Directory Service directly. This solution will not work, as AWS Organizations does not have an authentication mechanism that can use AWS Directory Service directly. AWS Organizations relies on IAM Identity Center to provide single sign-on access for the accounts in an organization.

Reference URL: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html

 To use an event-driven programming model with AWS Lambda and reduce operational overhead, Amazon API Gateway and Amazon DynamoDB are suitable solutions. Amazon API Gateway can receive the data from the sensors and invoke AWS Lambda functions to process the data. AWS Lambda can run code without provisioning or managing servers, and scale automatically with the incoming requests. Amazon DynamoDB can store the data in a fast and flexible NoSQL database that can handle any amount of data with consistent performance.

Amazon Athena is a service that allows you to run SQL queries on data stored in Amazon S3. It is serverless, meaning you do not need to provision or manage any infrastructure. You only pay for the queries you run and the amount of data scanned1.

By using Amazon Athena to query your data in Amazon S3, you can achieve the following benefits:

You can run queries for your report without affecting the performance of your Amazon RDS for MySQL DB instance. You can export your data from your DB instance to an S3 bucket and use Athena to query the data in the bucket. This way, you can avoid the overhead and contention of running queries on your DB instance.

You can reduce the cost and complexity of running queries for your report. You do not need to create a read replica or a backup of your DB instance, which would incur additional charges and require maintenance. You also do not need to resize your DB instance to accommodate the additional workload, which would increase your operational overhead.

You can leverage the scalability and flexibility of Amazon S3 and Athena. You can store large amounts of data in S3 and query them with Athena without worrying about capacity or performance limitations. You can also use different formats, compression methods, and partitioning schemes to optimize your data storage and query performance1.

it allows the company to monitor costs and notify responsible stakeholders in the event of unusual spending. By creating an AWS Cost Anomaly Detection monitor in the AWS Billing and Cost Management console, the company can use a machine learning service that automatically detects and alerts on anomalous spend. By configuring alert thresholds, notification preferences, and root cause analysis, the company can prevent unusual spending and identify its source. References:

AWS Cost Anomaly Detection

Creating a Cost Anomaly Monitor

https://aws.amazon.com/rds/features/multi-az/ To convert an existing Single-AZ DB Instance to a Multi-AZ deployment, use the "Modify" option corresponding to your DB Instance in the AWS Management Console.

https://aws.amazon.com/pinpoint/product-details/sms/ Two-Way Messaging: Receive SMS messages from your customers and reply back to them in a chat-like interactive experience. With Amazon Pinpoint, you can create automatic responses when customers send you messages that contain certain keywords. You can even use Amazon Lex to create conversational bots. A majority of mobile phone users read incoming SMS messages almost immediately after receiving them. If you need to be able to provide your customers with urgent or important information, SMS messaging may be the right solution for you. You can use Amazon Pinpoint to create targeted groups of customers, and then send them campaign-based messages. You can also use Amazon Pinpoint to send direct messages, such as appointment confirmations, order updates, and one-time passwords.

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure1. RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability2. RDS Proxy also reduces failover times for Aurora and RDS databases by up to66% and enables IAM authentication and Secrets Manager integration for database access1. RDS Proxy can be enabled for most applications with no code changes2.

AWS DataSync is a service that makes it easy to move large amounts of data between AWS storage services and on-premises storage systems. AWS DataSync can copy files from an S3 bucket to an EFS file system and another S3 bucket continuously, as well as overwrite only the files that have changed in the source. This solution will meet the requirements with the least operational overhead, as it does not require any code development or manual intervention.

This answer is correct because it meets the requirements of accommodating the larger workload without adding infrastructure and minimizing the cost. Reserved DB instances are a billing discount applied to the use of certain on-demand DB instances in your account. Reserved DB instances provide you with a significant discount compared to on-demand DB instance pricing. You can buy reserved DB instances for the total workload and choose between three payment options: No Upfront, Partial Upfront, or All Upfront. You can make the Amazon RDS for PostgreSQL DB instance larger by modifying its instance type to a higher performance class. This way, you can increase the CPU, memory, and network capacity of your DB instance and handle the increased workload.

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/monitor-ami-events.html#:~:text=For%20example%2C%20you%20can%20create%20an%20EventBridge%20rule%20that%20detects%20when%20the%20AMI%20creation%20process%20has%20completed%20and%20then%20invokes%20an%20Amazon%20SNS%20topic%20to%20send%20an%20email%20notification%20to%20you.

This answer is correct because it meets the requirements of maximizing the reliability of the application’s infrastructure. You can update the DB instance to be Multi-AZ, which means that Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance. It can also help protect your databases against DB instance failure and Availability Zone disruption. You can also enable deletion protection on the DB instance, which prevents the DB instance from being deleted by any user. You can place the EC2 instances behind an Application Load Balancer, which distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability and fault tolerance of your applications. You can run the EC2 instances in an EC2 Auto Scaling group across multiple Availability Zones, which ensures that you have the correct number of EC2 instances available to handle the load for your application. You can use scaling policies to adjust the number of instances in your Auto Scaling group in response to changing demand.

To connect two VPCs in the same Region within the same AWS account, VPC peering is the most cost-effective solution. VPC peering allows direct network traffic between the VPCs without requiring a gateway, VPN connection, or AWS Transit Gateway. VPC peering also does not incur any additional charges for data transfer between the VPCs.

it allows the compliance team to manage the KMS keys used for server-side encryption, thereby providing the necessary control over the encryption keys. Additionally, the use of the "aws:SecureTransport" condition on the bucket policy ensures that all connections to the S3 bucket are encrypted in transit.

C and E are the correct answers because they allow the company to create a public endpoint for its web application that supports session affinity (sticky sessions) and has a WAF applied for additional security. By creating a public Application Load Balancer, the company can distribute incoming traffic across multiple EC2 instances in an Auto Scaling group and specify the application target group. By creating a web ACL in AWS WAF and associating it with the Application Load Balancer, the company can protect its web application from common web exploits. By enabling session stickiness on the Application Load Balancer, the company can ensure that subsequent requests from a user during a session are routed to the same target. References:

Application Load Balancers

AWS WAF

Target Groups for Your Application Load Balancers

How Application Load Balancer Works with Sticky Sessions

The best solution for this situation is option B, setting up AWS Global Accelerator with UDP listeners and endpoint groups in each Region. AWS Global Accelerator is a networking service that improves the availability and performance of internet applications by routing user requests to the nearest AWS Region [1]. It also improves the performance of UDP applications by providing faster, more reliable data transfers with lower latency and fewer packet losses. By setting up UDP listeners and endpoint groups in each Region, Global Accelerator will route traffic to the nearest Region for faster response times and a better user experience.

it allows the company to store and deliver images to users in a highly available and cost-effective way. By storing images in Amazon S3 Standard, the company can use a durable, scalable, and secure object storage service that offers high availability and performance. By using S3 Standard to directly deliver images by using a static website, the company can avoid running web servers and reduce operational overhead. S3 Standard also offers low storage pricing and free data transfer within AWS Regions. References:

Amazon S3 Storage Classes

Hosting a Static Website on Amazon S3

Client-side encryption is a method of encrypting data before uploading it to Amazon S3. It allows users to manage the encryption process, encryption keys, and related tools1. By using client-side encryption, the solution can ensure that the data is encrypted at rest andin transit, as Amazon S3 will not have access to the encryption keys or the unencrypted data2.

This answer is correct because it meets the requirements of migrating a 20 TB MySQL database within 2 weeks with minimal downtime and cost-effectively. The AWS Snowball Edge Storage Optimized device has up to 80 TB of usable storage space, which is enough to fit the database. The AWS Database Migration Service (AWS DMS) can migrate data from MySQL to Amazon Aurora, Amazon RDS for MySQL, or MySQL on Amazon EC2 with minimal downtime by continuously replicating changes from the source to the target. The AWS Schema Conversion Tool (AWS SCT) can convert the source schema and code to a format compatible with the target database. By using these services together, the company can migrate the database to AWS with minimal downtime and cost. The Snowball Edge device can be shipped back to AWS to finish the migration and continue the ongoing replication until the database is fully migrated.

it allows the company to create read replicas of its RDS database and reduce the load on the database tier. By creating read replicas, the company can offload read traffic from the primary database instance to one or more replicas. By configuring the reports to use the new read replicas, the company can improve performance and availability of its database tier. References:

Working with Read Replicas

Read Replicas for Amazon RDS for SQL Server

Joining the FSx for Windows File Server file system to the on-premises Active Directory will allow the company to use the existing Active Directory groups to restrict access to the file shares, folders, and files after the move to AWS. This option allows the company to continue using their existing access controls and management structure, making the transition to AWS more seamless.

DynamoDB Accelerator (DAX) is a fully managed, highly available caching service built for Amazon DynamoDB. DAX delivers up to a 10 times performance improvement—from milliseconds to microseconds—even at millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management. Now you can focus on building great applications for your customers without worrying about performance at scale. You do not need to modify application logic because DAX is compatible with existing DynamoDB API calls. This solution will meet the requirements with the least operational overhead, as it does not require any code development or manual intervention.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/three-aws-glue-etl-job-types-for-converting-data-to-apache-parquet.html

AWS Glue is a serverless, fully managed ETL (Extract, Transform, and Load) service. It is specifically designed for data transformation tasks such as converting .csv files to Apache Parquet format. Using AWS Glue requires minimal development effort because it includes prebuilt transformations and integrates seamlessly with Amazon S3.

Option A:While Amazon EMR with Apache Spark offers extensive flexibility, it requires setting up and managing a cluster, writing custom Spark code, and handling resource scaling, which increases development effort compared to AWS Glue.

Option C:AWS Batch requires creating job definitions, specifying execution environments, and potentially writing custom scripts for the transformation process, which involves more setup compared to AWS Glue.

Option D:AWS Lambda could handle the transformation but is better suited for smaller-scale processing or real-time transformations. Handling hundreds of files daily with Lambda would require more complex orchestration and is not the most efficient solution for this scale of batch processing.

AWS Documentation References:

AWS Glue Overview

Transforming Data Using AWS Glue

AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and AWS's storage infrastructure. By deploying a file gateway as a virtual machine on each clinic's premises, the medical research lab can provide low-latency access to the data stored in the S3 bucket while maintaining read-only permissions for each clinic. Thissolution allows the clinics to access the data files directly from their on-premises file-based applications without the need for data transfer or migration.

https://docs.aws.amazon.com/eks/latest/userguide/horizontal-pod-autoscaler.html

https://docs.aws.amazon.com/eks/latest/userguide/autoscaling.html

Horizontal pod autoscaling is a feature of Kubernetes that automatically scales the number of pods in a deployment, replication controller, or replica set based on that resource’s CPU utilization. It requires ametrics source such as the Kubernetes Metrics Server to provide CPU usage data1. Cluster autoscaling is a feature of Kubernetes that automatically adjusts the number of nodes in a cluster when pods fail or are rescheduled onto other nodes. It requires an integration with AWS Auto Scaling groups to manage the EC2 instances that join the cluster2. By using both horizontal pod autoscaling and cluster autoscaling, the solution can ensure that Amazon EKS scales in and out according to the workload.

Dynamic scaling is a type of autoscaling that automatically adjusts the number of EC2 instances in an Auto Scaling group based on demand or load. It uses CloudWatch alarms to trigger scaling actions when a specified metric crosses a threshold. It can scale out (addinstances) or scale in (remove instances) as needed1. By using dynamic scaling, the solution can maintain application performance during sudden traffic increases most cost-effectively.

A. Use manual scaling to change the size of the Auto Scaling group. This solution will not meet the requirement of maintaining application performance during sudden traffic increases, as manual scaling requires users to manually increase or decrease the number of instances through a CLI or console. It does not respond automatically to changes in demand or load2.

B. Use predictive scaling to change the size of the Auto Scaling group. This solution will not meet the requirement of most cost-effectiveness, as predictive scaling uses machine learning and artificial intelligence tools to evaluate traffic loads and anticipate when more or fewer resources are needed. It performs scheduled scaling actions based on the prediction, which may not matchthe actual demand or load at any given time. Predictive scaling is more suitable for scenarios where there are predictable traffic patterns or known changes in traffic loads3.

D. Use schedule scaling to change the size of the Auto Scaling group. This solution will not meet the requirement of maintaining application performance during sudden traffic increases, as schedule scaling performs scaling actions at specific times that users schedule. It does not respond automatically to changes in demand or load. Schedule scaling is more suitable for scenarios where there are predictable traffic drops or spikes at specific times of the day.

Reference URL: https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scale-based-on-demand.html

S3 Object Lock enables a write-once-read-many (WORM) model for objects stored in Amazon S3. It can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely1. S3 Object Lock has two retention modes: governance mode and compliance mode. Compliance mode provides the highest level of protection and prevents any user, including the root user, from deleting or modifying an object version until the retention period expires. To use S3 Object Lock, a new bucket with Object Lock enabled must be created, and a default retention period can be optionally configured for objects placed in the bucket2. To bring existing objects into compliance, they must be recopied into the bucket with a retention period specified.

Option A is incorrect because S3 Versioning and S3 Lifecycle do not provide WORM protection for objects. Moreover, MFA delete only applies to deleting object versions, not modifying them.

Option B is incorrect because governance mode allows users with special permissions to override or remove the retention settings or delete the object if necessary. This does not meet the legal requirement of retaining all data for 7 years.

Option D is incorrect because S3 Batch Operations cannot be used to apply compliance mode retention periods to existing objects. S3 Batch Operations can only apply governance mode retention periods or legal holds. Reference URL: 2: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-console.html 3:https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html#sc-dynamic-data-access 4:https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html 1: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html : https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html : https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html : https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

A VPC peering connection is a networking connection between two VPCs that enables users to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. A VPC peering connection can be createdbetween VPCs in the same or different AWS accounts and Regions1. By configuring a VPC peering connection between VPC A and VPC B, the solution can provide the required access most securely.

A. Create a DB instance security group that allows all traffic from the public IP address of the application server in VPC A. This solution willnot provide the required access most securely, as it involves exposing the DB instance to the public internet and relying on a single IP address for access control2.

C. Make the DB instance publicly accessible. Assign a public IP address to the DB instance. This solution will not provide the required access most securely, as it involves exposing the DB instance to the public internet and allowing any source to connect to it2.

D. Launch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance. This solution will not provide the required access most securely, as it involves creating an additional resource and configuring a proxy server that may introduce latency and complexity3.

Reference URL: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

To store and view engineering drawings with caching support, Amazon S3 and Amazon CloudFront are suitable solutions. Amazon S3 can store any amount of data with high durability, availability, and performance. Amazon CloudFront can distribute the engineering drawings to edge locations closer to the users, which can reduce the latency and improve the user experience. Amazon CloudFront can also cache the engineering drawings at the edge locations, which can minimize the amount of time that users wait for the drawings to load.

AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Lambda can be used to tag resources with the cost center ID of the user who created the resource, by querying the RDS database that maps users to cost centers. Amazon EventBridge is a serverless event bus service that enables event-driven architectures. EventBridge can be configured to react to AWS CloudTrail events, which are recorded API calls made by or on behalf of the AWS account. EventBridge can invoke the Lambda function when a resource is created in the specific AWS account, passing the user identity and resource information as parameters. This solution will meet the requirements, as it enables automatic tagging of resources based on the user and cost center mapping.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html#:~:text=The%20CloudTrail%20trail,time%20has%20passed.

User-defined tags are key-value pairs that can be applied to AWS resources to categorize and track them. User-defined tags can also be used to allocate costs and create detailed billing reports in the AWS Billing console. To use user-defined tags for cost allocation, the tags must be activated from the Organizations management account, which is the root account that has fullcontrol over all the member accounts in the organization. Once activated, the user-defined tags will appear as columns in the cost allocation report, and can be used to filter and group costs by product line. This solution will meet the requirements with the least operational overhead, as it leverages the existing tagging strategy and does not require any code development or manual intervention.

AWS DataSync is a data transfer service that makes it easy for you to move large amounts of data online between on-premises storage and AWS storage services over the internet or AWS Direct Connect. DataSync automatically encrypts your data in transit using TLS encryption, and verifies data integrity during transfer using checksums. DataSync can transfer data up to 10 times faster than open-source tools, and reduces operational overhead by simplifying and automating tasks such as scheduling, monitoring, and resuming transfers. References:https://aws.amazon.com/datasync/

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This allows you to use your data to gain new insights for your business and customers. The first step to create a data warehouse is to launch a set of nodes, called an Amazon Redshift cluster. After you provision your cluster, you can upload your data set and then perform data analysis queries. Regardless of the size of the data set, Amazon Redshift offers fast query performance using the same SQL-based tools and business intelligence applications that you use today.

An Application Load Balancer (ALB) allows you to distribute incoming traffic across multiple backend instances, and can automatically route traffic to healthy instances while removing traffic from unhealthy instances. By using an ALB in front of the EC2 instances and routing traffic to it from Route 53, the load balancer can perform health checks on the instances and only routetraffic to healthy instances, which should help to reduce or eliminate timeout errors caused by unhealthy instances.

AWS Backup is a fully managed service that allows you to centralize and automate data protection of AWS services across compute, storage, and database. AWS Backup Vault Lock is an optional feature of a backup vault that can help you enhance the security and control over your backup vaults. When a lock is active in Compliance mode and the grace time is over, the vault configuration cannot be altered or deleted by a customer, account/data owner, or AWS. This ensures that your backups are available for you until they reach the expiration of their retention periods and meet the regulatory requirements.References:https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html

it allows the company to simplify the on-premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. By setting up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface, the company can store backup data on virtual tapes in S3 or Glacier. This preserves the existing investment in the on-premises backup applications and workflows while leveraging AWS storage services. References:

AWS Storage Gateway

Tape Gateway

AWS Lambda charges you based on the number of invocations and the execution time of your function. Since the data processing job is relatively small (2 MB of data), Lambda is a cost-effective choice. You only pay for the actual usage without the need to provision and maintain infrastructure.

Before you begin: Decide which two Availability Zones you will use for your EC2 instances. Configure your virtual private cloud (VPC) with at least one public subnet in each of these Availability Zones. These public subnets are used to configure the load balancer. You can launch your EC2 instances in other subnets of these Availability Zones instead.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html#USER_RestoreFromSnapshot.CON

Under "Encrypt unencrypted resources" -https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Reserved is cheaper than on demand the company has. And it's meet the availabilty (HA) requirement as to spot instance that can be disrupted at any time. PRICING BELOW. On-Demand: 0% There’s no commitment from you. You pay the most with this option. Reserved : 40%-60%1-year or 3-year commitment from you. You save money from that commitment. Spot 50%-90% Ridiculously inexpensive because there’s no commitment from the AWS side.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

https://aws.amazon.com/blogs/compute/building-loosely-coupled-scalable-c-applications-with-amazon-sqs-and-amazon-sns/

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html

Amazon Aurora is a fully managed, scalable, and highly available relational database service that is compatible with PostgreSQL. Migrating the database to Amazon Aurora would reduce the operational overhead of maintaining the database infrastructure and allow the company to focus on building and scaling the application. AWS Fargate is a fully managed container orchestrationservice that enables users to run containers without the need to manage the underlying EC2 instances. By using AWS Fargate with Amazon Elastic Container Service(Amazon ECS), the solutions architect can improve the scalability and efficiency of the web application and reduce the operational overhead of maintaining the underlying infrastructure.

https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/

https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

The policy is separated into two parts because the ListBucket action requires permissions on the bucket while the other actions require permissions on the objects in the bucket. You must use two different Amazon Resource Names (ARNs) to specify bucket-level and object-level permissions. The first Resource element specifies arn:aws:s3:::AdminTools for the ListBucket action so that applications can list all objects in the AdminTools bucket.

https://computingforgeeks.com/stream-logs-in-aws-from-cloudwatch-to-elasticsearch/

https://aws.amazon.com/blogs/big-data/top-10-performance-tuning-tips-for-amazon-athena/

This solution meets the requirements of measuring the effectiveness of marketing campaigns by performing batch processing on csv files of sales data and storing the results in an Amazon S3 bucket once every hour. An AWS duo ETL process can use services such as AWS Glue or AWS Data Pipeline to extract data from S3, transform it into a more efficient format such as Apache Parquet, and load it back into S3. Apache Parquet is a columnar storage format that can improve the query performance and reliability of Athena by reducing the amount of data scanned, improving compression ratio, and enabling predicate pushdown.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-types.html

https://aws.amazon.com/cn/blogs/compute/cost-optimization-and-resilience-eks-with-spot-instances/

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.htmlhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

SSE-S3 - is free and uses AWS owned CMKs (CMK = Customer Master Key). The encryption key is owned and managed by AWS, and is shared among many accounts. Its rotation is automatic with time that varies as shown in the table here. The time is not explicitly defined.

SSE-KMS - has two flavors:

AWS managed CMK. This is free CMK generated only for your account. You can only view it policies and audit usage, but not manage it. Rotation is automatic - once per 1095 days (3 years),

Customer managed CMK. This uses your own key that you create and can manage. Rotation is not enabled by default. But if you enable it, it will be automatically rotated every 1 year. This variant can also use an imported key material by you. If you create such key with an imported material, there is no automated rotation. Only manual rotation.

SSE-C - customer provided key. The encryption key is fully managed by you outside of AWS. AWS will not rotate it.

This solution meets the requirements of moving data to an Amazon S3 bucket, encrypting the data when it is stored in the S3 bucket, and automatically rotating the encryption key every year with the least operational overhead. AWS Key Management Service (AWS KMS) is a service that enables you to create and manage encryption keys for your data. A customer managed key is a symmetric encryption key that you create and manage in AWS KMS. You can enable automatic key rotation for a customer managed key, which means that AWS KMS generates new cryptographic material for the key every year. You can set the S3 bucket’s default encryption behavior to use the customer managed KMS key, which means that any object that is uploaded to the bucket without specifying an encryption method will be encrypted with that key.

Option A is incorrect because using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) does not allow you to control or manage the encryption keys. SSE-S3 uses a unique key for each object, and encrypts that key with a master key that is regularly rotated by S3. However, you cannot enable or disable key rotation for SSE-S3 keys, or specify the rotation interval. Option C is incorrect because manually rotating the KMS key every year can increase the operational overhead and complexity, and it may not meet the requirement of rotating the key every year if you forget or delay the rotationprocess. Option D is incorrect because encrypting the data with customer key material before moving the data to the S3 bucket can increase the operational overhead and complexity, and it may not provide consistent encryption for all objects in the bucket. Creating a KMS key without key material and importing the customer key material into the KMS key can enable you to use your own source of random bits to generate your KMS keys, but it does not support automatic key rotation.

**AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet**. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. Interface **VPC endpoints**, powered by AWS PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace. https://aws.amazon.com/privatelink/

https://aws.amazon.com/blogs/compute/microservice-delivery-with-amazon-ecs-and-application-load-balancers/

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2

ElastiCache, enhances the performance of web applications by quickly retrieving information from fully-managed in-memory data stores. It utilizes Memcached and Redis, and manages to considerably reduce the time your applications would, otherwise, take to read data from disk-based databases. Amazon CloudFront supports dynamic content from HTTP and WebSocket protocols, which are based on the Transmission Control Protocol (TCP) protocol. Common use cases include dynamic API calls, web pages and web applications, as well as an application's static files such as audio and images. It also supports on-demand media streaming over HTTP. AWS Global Accelerator supports both User Datagram Protocol (UDP) and TCP-based protocols. It is commonly used for non-HTTP use cases, such as gaming, IoT and voice over IP. It is also good for HTTP use cases that need static IP addresses or fast regional failover

https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html

Q: What does Amazon RDS manage on my behalf?

Amazon RDS manages the work involved in setting up a relational database: from provisioning the infrastructure capacity you request to installing the database software. Once your database is up and running, Amazon RDS automates common administrative tasks such as performing backups and patching the software that powers your database. With optional Multi-AZ deployments, Amazon RDS also manages synchronous data replication across Availability Zones with automatic failover.

https://aws.amazon.com/rds/faqs/

ElastiCache can help speed up the read performance of the database by caching frequently accessed data, reducing latency and allowing the application to access the data more quickly. This solution requires minimal modifications to the current architecture, as ElastiCache can be used in conjunction with the existing Amazon RDS for MySQL database.

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway.html

https://www.omnicalculator.com/other/data-transfer

https://aws.amazon.com/kms/faqs/#:~:text=If%20you%20are%20a%20developer%20who%20needs%20to%20digitally,a%20broad%20set%20of%20industry%20and%20regional%20compliance%20regimes.

You can use CloudFront to deliver video on demand (VOD) or live streaming video using any HTTP origin. One way you can set up video workflows in the cloud is by using CloudFront together with AWS Media Services.https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/on-demand-streaming-video.html

Composite alarms determine their states by monitoring the states of other alarms. You can **use composite alarms to reduce alarm noise**. For example, you can create a composite alarm where the underlying metric alarms go into ALARM when they meet specific conditions. You then canset up your composite alarm to go into ALARM and send you notifications when the underlying metric alarms go into ALARM by configuring the underlying metric alarms never to take actions. Currently, composite alarms can take the following actions:https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Create_Composite_Alarm.html

This solution meets the requirements of saving money on storage while keeping the most accessed files readily available for the users. S3 Lifecycle policy can automatically move objects from one storage class to another based on predefined rules. S3 Standard-IA is a lower-cost storage class for data that is accessed less frequently, but requires rapid access when needed. It is suitable for ringtones older than 90 days that are downloaded infrequently.

Option A is incorrect because configuring S3 Standard-IA for the initial storage tier of the objects can incur higher costs for frequent access and retrieval fees. Option B is incorrect because moving the files to S3 Intelligent-Tiering can incur additional monitoring and automation fees that may not be necessary for ringtones older than 90 days. Option C is incorrect because using S3 inventory to manage objects and move them to S3 Standard-IA can be complex and time-consuming, and it does not provide automatic cost savings.

By using an SQS queue and Lambda, the solutions architect can decouple the API front end from the processing microservices and improve the overall scalability and availability of the system. The SQS queue acts as a buffer, allowing the API front end to continue accepting user requests even if the processing microservices are experiencing high workloads or are temporarilyunavailable. The Lambda function can then retrieve requests from the SQS queue and write them to DynamoDB, ensuring that all user requests are stored and processed. This approach allows the company to scale the processing microservices independently from the API front end, ensuring that the API remains available to users even during periods of high demand.

AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator standard accelerators.https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

This solution meets the requirement of migrating a Windows-based application that requires the use of a shared Windows file system attached to multiple Amazon EC2 Windows instances that are deployed across multiple Availability Zones. Amazon FSx for Windows File Server provides fully managed shared storage built on Windows Server, and delivers a wide range of data access, data management, and administrative capabilities. It supports the Server Message Block (SMB) protocol and can be mounted to EC2 Windows instances across multiple Availability Zones.

Option A is incorrect because AWS Storage Gateway in volume gateway mode provides cloud-backed storage volumes that can be mounted as iSCSI devices from on-premises application servers, but it does not support SMB protocol or EC2 Windows instances. Option C is incorrect because Amazon Elastic File System (Amazon EFS) provides a scalable and elastic NFS file system for Linux-based workloads, but it does not support SMB protocol or EC2 Windows instances. Option D is incorrect because Amazon Elastic Block Store (Amazon EBS) providespersistent block storage volumes for use with EC2 instances, but it does not support SMB protocol or attaching multiple instances to the same volume.

This solution meets the requirements of a customer-facing application that has a clearly defined access pattern throughout the year and a variable number of reads and writes that depend on the time of year. Amazon DynamoDB is a fully managed NoSQL database service that can handle any level of request traffic and data size. DynamoDB auto scaling can automatically adjust the provisioned read and write capacity based on the actual workload. DynamoDB on-demand backups can create full backups of the tables for data protection and archival purposes. DynamoDB Streams can capture a time-ordered sequence of item-level modifications in the tables for audit purposes.

Option B is incorrect because Amazon Redshift is a data warehouse service that is designed for analytical workloads, not for customer-facing applications. Option C is incorrect because Amazon RDS with Provisioned IOPS can provide consistent performance for relational databases, but it may not be able to handle unpredictable spikes in traffic and data size. Option D is incorrect because Amazon Aurora MySQL with auto scaling can provide high performance and availability for relational databases, but it does not support audit logging as a parameter.

https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-custom.htmlandhttps://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/working-with-custom-oracle.html

This solution meets the requirements of running a gaming application that transmits data by using UDP packets and scaling out and in as traffic increases and decreases. A Network Load Balancer can handle millions of requests per second while maintaining high throughput at ultra low latency, and it supports both TCP and UDP protocols. An Auto Scaling group can automatically adjust the number of EC2 instances based on the demand and the scaling policies.

Option B is incorrect because an Application Load Balancer does not support UDP protocol, only HTTP and HTTPS. Option C is incorrect because Amazon Route 53 is a DNS service that can route traffic based on different policies, but it does not provide load balancing or scaling capabilities. Option D is incorrect because a NAT instance is used to enable instances in a private subnet to connect to the internet or other AWS services, but it does not provide load balancing or scaling capabilities.

This approach ensures that the order creation and payment processing steps are separate and atomic. By sending the order information to an SQS FIFO queue, the payment service can process the order one at a time and in the order they were received. If the payment service is unable to process an order, it can be retried later, preventing the creation of multiple orders. The deletion of the message from the queue after it is processed will prevent the same message from being processed multiple times.

Amazon S3 is cheapest and can be accessed from anywhere.

1. lowest possible latency + node to node ==> cluster placement(must be within one AZ), so C, D out

2. For EBS Multi-Attach, up to 16 instances can be attached to a single volume==>we have 16 linux instance==>more close to A

3. "need a shared block device volume"==>EBS Multi-attach is Block Storage whereas EFS is File Storage==> B out

4. EFS automatically replicates data within and across 3 AZ==>we use cluster placement so all EC2 are within one AZ.

5. EBS Multi-attach volumes can be used for clients within a single AZ.

https://repost.aws/questions/QUK2RANw1QTKCwpDUwCCI72A/efs-vs-ebs-mult-attach

This solution meets the requirements of a disaster recovery solution to back up the data that is generated by an analytics application, stored in JSON format, and must be accessible in milliseconds if it is needed. Amazon S3 Standard is a durable and scalable storage class for frequently accessed data. It can store any amount of data and provide high availability and performance. It can also support millisecond access time for data retrieval.

Option A is incorrect because Amazon OpenSearch Service (Amazon Elasticsearch Service) is a search and analytics service that can index and query data, but it is not a backup solution for data stored in JSON format. Option B is incorrect because Amazon S3 Glacier is a low-cost storage class for data archiving and long-term backup, but it does not support millisecond access time fordata retrieval. Option D is incorrect because Amazon RDS for PostgreSQL is a relational database service that can store and query structured data, but it is not a backup solution for data stored in JSON format.

A -> We can configure CloudFront to require HTTPS from clients (enhanced security) https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html D - > storing static website on S3 provides scalability and less operational overhead, then configuration of Application LB and EC2 instances (hence E is out)

We recommend that you use On-Demand Instances for applications with short-term, irregular workloads that cannot be interrupted.https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-on-demand-instances.html

Queue has Limited throughput (300 msg/s without batching, 3000 msg/s with batching whereby up-to 10 msg per batch operation; Msg duplicates not allowed in the queue (exactly-once delivery); Msg order is preserved (FIFO); Queue name must end with .fifo

Migrating to Amazon MQ reduces the overhead on the queue management. C and D are dismissed. Deciding between A and B means deciding to go for an AutoScaling group for EC2 or an RDS for Postgress (both multi- AZ). The RDS option has less operational impact, as provide as a service the tools and software required. Consider for instance, the effort to add an additional node like a read replica, to the DB. https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-deployment.htmlhttps://aws.amazon.com/rds/postgresql/

(https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)

The details are revealed in below url:https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html

FIFO (First-In-First-Out) queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated. Examples of situations where you might use FIFO queues include the following: To make sure that user-entered commands are run in the right order. To display the correct product price by sending price modifications in the right order. To prevent a student from enrolling in a course before registering for an account.

This solution meets the requirements of moving the files automatically, running Lambda functions on the copied data, and sending the data files to SageMaker Pipelines with the least operational overhead. S3 replication can copy the files from the initial S3 bucket to the analysis S3 bucket as they arrive. The analysis S3 bucket can send event notifications to Amazon EventBridge (Amazon CloudWatch Events) when an object is created.EventBridge can trigger Lambda and SageMaker Pipelines as targets for the ObjectCreated rule. Lambda can run pattern-matching code on the copied data, and SageMaker Pipelines can execute a pipeline with the data files.

Option A is incorrect because creating a Lambda function to copy the files to the analysis S3 bucket is not necessary when S3 replication can do that automatically. It also adds operational overhead to manage the Lambda function. Option B is incorrect because creating a Lambda function to copy the files to the analysis S3 bucket is not necessary when S3 replication can do that automatically. It also adds operational overhead to manage the Lambda function. Option C is incorrect because using S3 event notification with multiple destinations can result in throttling or delivery failures if there are too many events.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also savesthe KMS key's older cryptographic material in perpetuity so it can be used to decrypt data that the KMS key encrypted.

Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use. AWS KMS supports optional automatic key rotation only for customer managed CMKs. Enable and disable key rotation. Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

Amazon S3 File Gateway is a hybrid cloud storage service that enables on-premises applications to seamlessly use Amazon S3 cloud storage. It provides a file interface to Amazon S3 and supports SMB and NFS protocols. It also supports S3 Lifecycle policies that can automaticallytransition data from S3 Standard to S3 Glacier Deep Archive after a specified period of time. This solution will meet the requirements of increasing the company’s available storage space without losing low-latency access to the most recently accessed files and providing file lifecycle management to avoid future storage issues.

bottlenecks can be avoided with queues (SQS).

https://aws.amazon.com/cn/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/

https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

In Static Websites, Web pages are returned by the server which are prebuilt.

They use simple languages such as HTML, CSS, or JavaScript.

There is no processing of content on the server (according to the user) in Static Websites. Web pages are returned by the server with no change therefore, static Websites are fast.

There is no interaction with databases.

Also, they are less costly as the host does not need to support server-side processing with different languages.

============

In Dynamic Websites, Web pages are returned by the server which are processed during runtime means they are not prebuilt web pages but they are built during runtime according to the user’s demand.

These use server-side scripting languages such as PHP, Node.js, ASP.NET and many more supported by the server.

So, they are slower than static websites but updates and interaction with databases are possible.

https://aws.amazon.com/pt/blogs/aws/amazon-cloudfront-support-for-custom-origins/

You can now create a CloudFront distribution using a custom origin. Each distribution will can point to an S3 or to a custom origin. This could be another storage service, or it could be something more interesting and more dynamic, such as an EC2 instance or even an Elastic Load Balancer

To ensure that orders are processed in the order that they are received, the best solution is to use an Amazon SQS FIFO (First-In-First-Out) queue. This type of queue maintains the exact order in which messages are sent and received. In this case, the application can send information about new orders to an Amazon API Gateway REST API, which can then use an API Gateway integration to send a message to an Amazon SQS FIFO queue for processing. The queue can then be configured to invoke an AWS Lambda function to perform the necessary processing on each order. This ensures that orders are processed in the exact order in which they are received.

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

"Typically, you configure buckets to be Requester Pays buckets when you want to share data but not incur charges associated with others accessing the data. For example, you might use Requester Pays buckets when making available large datasets, such as zip code directories, reference data, geospatial information, or web crawling data."https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html

Static content can be cached at Cloud front Edge locations from S3 and dynamic content EC2 behind the ALB whose performance can be improved by Global Accelerator whose one endpoint is ALB and other Cloud front. So with regards to custom domain name endpoint is web application is R53 alias records for the custom domain point to web applicationhttps://aws.amazon.com/blogs/networking-and-content-delivery/improving-availability-and-performance-for-application-load-balancers-using-one-click-integration-with-aws-global-accelerator/

https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#lambda-permissions

https://aws.amazon.com/blogs/aws/amazon-aurora-fast-database-cloning/

Security groups are stateful. All inbound traffic is blocked by default. If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. You cannot block specific IP address using Security groups (instead use Network Access Control Lists).

"You can specify allow rules, but not deny rules." "When you first create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group." Source:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurityGroups

https://aws.amazon.com/ebs/features/

"Provisioned IOPS volumes are backed by solid-state drives (SSDs) and are the highest performance EBS volumes designed for your critical, I/O intensive database applications.

These volumes are ideal for both IOPS-intensive and throughput-intensive workloads that require extremely low latency."

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html

using AWS ECS on AWS Fargate since they requirements are for scalability and availability without having to provision and manage the underlying infrastructure to run the containerized workload.https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html

This is the purpose of bookmarks: "AWS Glue tracks data that has already been processed during a previous run of an ETL job by persisting state information from the job run. This persisted state information is called a job bookmark. Job bookmarks help AWS Glue maintain state information and prevent the reprocessing of old data."https://docs.aws.amazon.com/glue/latest/dg/monitor-continuations.html

Amazon AppFlow is a fully managed integration service that enables you to securely transfer data between Software-as-a-Service (SaaS) applications like Salesforce, SAP, Zendesk, Slack, and ServiceNow, and AWS services like Amazon S3 and Amazon Redshift, in just a few clicks.https://aws.amazon.com/appflow/

https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/

To meet the requirements of the company to have access to both AWS and on-premises file storage with minimum latency, a hybrid cloud architecture can be used. One solution is to deploy and configure Amazon FSx for Windows File Server on AWS, which provides fully managed Windows file servers. The on-premises file data can be moved to the FSx File Gateway, which can act as a bridge between on-premises and AWS file storage. The cloud workloads can be configured to use FSx for Windows File Server on AWS, while the on-premises workloads can be configured to use the FSx File Gateway. This solution minimizes operational overhead and requires no significant changes to the existing file access patterns. The connectivity between on-premises and AWS can be established using an AWS Site-to-Site VPN connection.

To protect data in an S3 bucket from accidental deletion, versioning should be enabled, which enables you to preserve, retrieve, and restore every version of every object in an S3 bucket. Additionally, enabling MFA (multi-factor authentication) Delete on the S3 bucket adds an extra layer of protection by requiring an authentication token in addition to the user's access keys to delete objects in the bucket.

https://digitalcloud.training/ssh-into-ec2-in-private-subnet/

"Security groups create an outbound rule for every inbound rule." Not completely right. Statefull does NOT mean that if you create an inbound (or outbound) rule, it will create an outbound (or inbound) rule. What it does mean is: suppose you create an inbound rule on port 443 for the X ip. When a request enters on port 443 from X ip, it will allow traffic out for that request in the port 443. However, if you look at the outbound rules, there will not be any outbound rule on port 443 unless explicitly create it. In ACLs, which are stateless, you would have to create an inbound rule to allow incoming requests and an outbound rule to allow your application responds to those incoming requests.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules

Amazon Athena can be used to query JSON in S3

https://aws.amazon.com/kinesis/data-firehose/features/?nc=sn &loc=2#:~:text=into%20Amazon%20S3%2C%20Amazon%20Redshift%2C%20Amazon%20OpenSearch%20Service%2C%20Kinesis,Delivery%20streams

Moving the catalog to an Amazon Elastic File System (Amazon EFS) file system provides both high availability and durability. Amazon EFS is a fully-managed, highly-available, and durable file system that is built to scale on demand. With Amazon EFS, the catalog data can be storedand accessed from multiple EC2 instances in different availability zones, ensuring high availability. Also, Amazon EFS automatically stores files redundantly within and across multiple availability zones, making it a durable storage option.

To maximize resiliency and scalability, the best solution is to use an Amazon SQS queue as a destination for the jobs. This decouples the primary server from the compute nodes, allowing them to scale independently. This also helps to prevent job loss in the event of a failure. Using an Auto Scaling group of Amazon EC2 instances for the compute nodes allows for automatic scaling based on the workload. In this case, it's recommended to configure the Auto Scaling group based on the size of the Amazon SQS queue, which is a better indicator of the actual workload than the load on the primary server or compute nodes. This approach ensures that the application can handle variable workloads, while also minimizing costs by automatically scaling up or down the compute nodes as needed.

To reduce the cost of running the tests without reducing the compute and memory attributes of the Amazon RDS for MySQL DB instance, the development team can stop the instance when tests are completed and restart it when required. Stopping the DB instance when not in use can help save costs because customers are only charged for storage while the DB instance is stopped. During this time, automated backups and automated DB instance maintenance are suspended.When the instance is restarted, it retains the same configurations, security groups, and DB parameter groups as when it was stopped.

https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/

https://www.learnaws.org/2020/12/13/aws-rds-proxy-deep-dive/

RDS proxy can improve application availability in such a situation by waiting for the new database instance to be functional and maintaining any requests received from the application during this time. The end result is that the application is more resilient to issues with the underlying database.

This will enable solution to hold data till the time DB comes back to normal. RDS proxy is to optimally utilize the connection between Lambda and DB. Lambda can open multipleconnection concurrently which can be taxing on DB compute resources, hence RDS proxy was introduced to manage and leverage these connections efficiently.

S3 Intelligent-Tiering - Perfect use case when you don't know the frequency of access or irregular patterns of usage.

Amazon S3 offers a range of storage classes designed for different use cases. These include S3 Standard for general-purpose storage of frequently accessed data; S3 Intelligent-Tiering for data with unknown or changing access patterns; S3 Standard-Infrequent Access (S3 Standard-IA) and S3 One Zone-Infrequent Access (S3 One Zone-IA) for long-lived, but less frequently accessed data; and Amazon S3 Glacier (S3 Glacier) and Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive) for long-term archive and digital preservation. If you have data residency requirements that can’t be met by an existing AWS Region, you can use the S3 Outposts storage class to store your S3 data on-premises. Amazon S3 also offers capabilities to manage your data throughout its lifecycle. Once an S3 Lifecycle policy is set, your data will automatically transfer to a different storage class without any changes to your application.

https://aws.amazon.com/getting-started/hands-on/getting-started-using-amazon-s3-intelligent-tiering/?nc1=h_ls

You might want to use Transfer Acceleration on a bucket for various reasons, including the following:

You have customers that upload to a centralized bucket from all over the world.

You transfer gigabytes to terabytes of data on a regular basis across continents.

You are unable to utilize all of your available bandwidth over the Internet when uploading to Amazon S3.

https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

https://aws.amazon.com/s3/transfer-acceleration/#:~:text=S3%20Transfer%20Acceleration%20(S3TA)%20reduces,to%20S3%20for%20remote%20applications:

"Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects. Customers who have either web or mobile applications with widespread users or applications hosted far away from their S3 bucket can experience long and variable upload and download speeds over the Internet"

https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html

"Improved throughput - You can upload parts in parallel to improve throughput."

https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

How can I redirect HTTP requests to HTTPS using an Application Load Balancer? Last updated: 2020-10-30 I want to redirect HTTP requests to HTTPS using Application Load Balancer listener rules. How can I do this? Resolution Reference:https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

https://docs.aws.amazon.com/lambda/latest/dg/services-rds.htmlhttps://docs.aws.amazon.com/lambda/latest/dg/with-sns.html

Amazon S3 sends event notifications about S3 buckets (for example, object created, object removed, or object restored) to an SNS topic in the same Region.

The SNS topic publishes the event to an SQS queue in the central Region.

The SQS queue is configured as the event source for your Lambda function and buffers the event messages for the Lambda function.

The Lambda function polls the SQS queue for messages and processes the Amazon S3 event notifications according to your application’s requirements.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/subscribe-a-lambda-function-to-event-notifications-from-s3-buckets-in-different-aws-regions.html

"In some cases, this connection alone is not enough. It is always better to guarantee a fallback connection as the backup of DX. There are several options, but implementing it with an AWS Site-To-Site VPN is a real cost-effective solution that can be exploited to reduce costs or, in the meantime, wait for the setup of a second DX."

https://www.proud2becloud.com/hybrid-cloud-networking-backup-aws-direct-connect-network-connection-with-aws-site-to-site-vpn/

AURORA is 5x performance improvement over MySQL on RDS and handles more read requests than write,; maintaining high availability = Multi-AZ deployment

The storage solution that will meet these requirements most cost-effectively is B: Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month. Amazon S3 Glacier Deep Archive is a secure, durable, and extremely low-cost Amazon S3 storage class for long-term retention of data that is rarely accessed and for which retrieval times of several hours are acceptable. It is the lowest-cost storage option in Amazon S3, making it a cost-effective choice for storing backup files that are not accessed after 1 month. You can use an S3 Lifecycle configuration to automatically transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month. This will minimize the storage costs for the backup files that are not accessed frequently.

To meet the requirements of detecting and alerting the administrators when PII is shared and automating remediation with the least development effort, the best approach would be to use Amazon S3 bucket as a secure transfer point and scan the objects in the bucket with Amazon Macie. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data stored in Amazon S3. It can be used to classify sensitive data, monitor access to sensitive data, and automate remediation actions.

In this scenario, after uploading the files to the Amazon S3 bucket, the objects can be scanned for PII by Amazon Macie, and if it detects any PII, it can trigger an Amazon Simple Notification Service (SNS) notification to alert the administrators to remove the objects containing PII. This approach requires the least development effort, as Amazon Macie already has pre-built data classification rules that can detect PII in various formats.

Hence, option B is the correct answer.

"Create an Amazon SQS queue to hold the jobs that needs to be processed. Create an Amazon EC2 Auto Scaling group for the compute application. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of items in the SQS queue"

In this case we need to find a durable and loosely coupled solution for storing jobs. Amazon SQS is ideal for this use case and can be configured to use dynamic scalingbased on the number of jobs waiting in the queue.To configure this scaling you can use the backlog per instance metric with the target value being the acceptable backlog per instance to maintain. You can calculate these numbers as follows: Backlog per instance: To calculate your backlog per instance, start with the ApproximateNumberOfMessages queue attribute to determine the length of the SQS queue

Amazon S3 is a highly scalable and durable object storage service that can store and retrieve any amount of data from anywhere on the web1. Users can configure the application to upload images directly from each user’s browser to Amazon S3 through the use of a presigned URL. A presigned URL is a URL that gives access to an object in an S3 bucket for a limited time and with a specificaction, such as uploading an object2. Users can generate a presigned URL programmatically using the AWS SDKs or AWS CLI. By using a presigned URL, users can reduce coupling within the application and improve website performance, as they do not need to send the images to the web server first.

AWS Lambda is a serverless compute service that runs code in response to events and automatically manages the underlying compute resources3. Users can configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded. S3 EventNotifications is a feature that allows users to receive notifications when certain events happen in an S3 bucket, such as object creation or deletion. Users can configure S3 Event Notifications to invoke a Lambda function that resizes the image and stores it back in the same or a different S3 bucket. This way, users can offload the image resizing task from the web server to Lambda.

VPC endpoint allows you to connect to AWS services using a private network instead of using the public Internet

https://aws.amazon.com/s3/storage-classes/?trk=66264cd8-3b73-416c-9693-ea7cf4fe846a &sc_channel=ps&s_kwcid=AL!4422!3!536452716950!p!!g!!aws%20s3%20pricing&ef_id=Cj0KCQjwnbmaBhD-ARIsAGTPcfVHUZN5_BMrzl5zBcaC8KnqpnNZvjbZzqPkH6k7q4JcYO5KFLx0YYgaAm6nEALw_wcB:G:s&s_kwcid=AL!4422!3!536452716950!p!!g!!aws%20s3%20pricing

Fromhttps://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service. However, you might consider creating a custom key store if your organization has any of the following requirements: Key material cannot be stored in a shared environment. Key material must be subject to a secondary, independent audit path. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3.https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

Understanding the Requirement: The company wants to cost-optimize their workload that uses EC2, Lambda, Fargate, and SageMaker, covering the most services with the fewest savings plans.

Analysis of Options:

EC2 Instance Savings Plan: Limited to EC2 and SageMaker, missing coverage for Lambda and Fargate.

Compute Savings Plan: Provides the most flexibility, covering a broad range of compute services, including EC2, Lambda, Fargate, and SageMaker.

SageMaker Savings Plan: Specifically for SageMaker, missing coverage for EC2, Lambda, and Fargate.

Combination of plans: The Compute Savings Plan is versatile and can be combined to cover different services efficiently.

Best Solution:

Compute Savings Plan for EC2, Lambda, and SageMaker: Covers the primary compute services efficiently.

Compute Savings Plan for Lambda, Fargate, and EC2: Covers the remaining services, ensuring broad coverage with minimal plans.

Understanding the Requirement: The company has petabytes of data in S3 Standard across multiple buckets with varying access frequencies. They do not know the access patterns and need a cost-optimized storage solution with minimal operational effort.

Analysis of Options:

S3 Intelligent-Tiering: This storage class automatically moves data between two access tiers (frequent and infrequent) based on changing access patterns. It incurs a small monitoring and automation charge but eliminates the need to manually move data between storage classes.

S3 Storage Class Analysis Tool: While useful for determining access patterns, this tool requires manual intervention to move objects to the appropriate storage class, which increases operational overhead.

S3 Glacier Instant Retrieval: This storage class is designed for data that is rarely accessed but requires instant retrieval when needed. It may not be suitable for data with unknown and varying access patterns.

S3 One Zone-IA: This is a lower-cost option for infrequently accessed data stored in a single availability zone. It does not provide the same level of durability and availability as other options and requires knowledge of access patterns.

Best Option for Operational Efficiency:

S3 Intelligent-Tiering provides the best balance of cost savings and operational efficiency. It dynamically adjusts to access patterns without manual intervention, ensuring the company is only paying for what they need without the risk of incurring high costs for infrequent access data.

Understanding the Requirement: The company needs a container solution that can scale across on-premises, hybrid, and cloud environments, with a load balancer for HTTP traffic.

Analysis of Options:

Fargate Launch Type and ECS Anywhere: Using Fargate for cloud-based containers and ECS Anywhere for on-premises containers provides a unified management experience across environments without needing to manage infrastructure.

Application Load Balancer: Suitable for HTTP traffic and can distribute requests to the ECS services, ensuring scalability and performance.

Network Load Balancer: Typically used for TCP/UDP traffic, not specifically optimized for HTTP traffic.

EC2 Launch Type for ECS and ECS Anywhere with Fargate: Involves managing infrastructure for EC2 instances, increasing operational overhead.

Best Combination of Solutions:

ECS with Fargate Launch Type and ECS Anywhere: This provides flexibility and scalability across hybrid environments with minimal operational overhead.

Application Load Balancer: Optimized for HTTP traffic, ensuring efficient load distribution and scaling for the ECS services.

Understanding the Requirement: The application running on EC2 instances in a private subnet needs to process sensitive information from an S3 bucket without using the internet.

Analysis of Options:

Internet Gateway: This would expose the application to the internet, which is not suitable for accessing sensitive information securely.

VPN Connection: VPN is primarily used for secure connections between on-premises networks and AWS VPCs, not for direct S3 access within the same VPC.

NAT Gateway: This allows instances in a private subnet to connect to the internet, but the goal is to avoid internet access.

VPC Endpoint: Provides a private connection between the VPC and S3 without using the internet, ensuring secure access to the S3 bucket.

Best Solution:

VPC Endpoint: Configuring a VPC endpoint allows secure, private communication between the EC2 instances and the S3 bucket without using the internet, ensuring data security and compliance.

Understanding the Requirement: The company needs programmatic access to its AWS usage costs for the current year and cost forecasts for the next 12 months, with minimal operational overhead.

Analysis of Options:

AWS Cost Explorer API: Provides programmatic access to detailed usage and cost data, including forecast costs. It supports pagination for handling large datasets, making it an efficient solution.

Downloadable AWS Cost Explorer report csv files: While useful, this method requires manual handling of files and does not provide real-time access.

AWS Budgets actions via FTP: This is less suitable as it involves setting up FTP transfers and does not provide the same level of detail and real-time access as the API.

AWS Budgets reports via SMTP: Similar to FTP, this method involves additional setup and lacks the real-time access and detail provided by the API.

Best Option for Minimal Operational Overhead:

AWS Cost Explorer API provides direct, programmatic access to cost data, including detailed usage and forecasting, with minimal setup and operational effort. It is the most efficient solution for integrating cost data into an operational cost dashboard.

Understanding the Requirement: The company needs to control the creation, rotation, and disabling of encryption keys for data stored in S3 with minimal effort.

Analysis of Options:

SSE-S3: Provides server-side encryption using S3 managed keys but does not offer full control over key management.

Customer managed key with AWS KMS (SSE-KMS): Allows the company to fully control key creation, rotation, and disabling, providing a high level of security and compliance.

AWS managed key with AWS KMS (SSE-KMS): While it provides some control, it does not offer the same level of granularity as customer-managed keys.

EC2 instance encryption and re-upload: This approach is operationally intensive and does not leverage AWS managed services for efficient key management.

Best Solution:

Customer managed key with AWS KMS (SSE-KMS): This solution meets the requirement for full control over encryption keys with minimal operational overhead, leveraging AWS managed services for secure key management.

Understanding the Requirement: The order processing system requires multiple independent validation steps, each handled by separate Lambda functions, with each function accessing only the subset of order information it needs. The system should be loosely coupled to accommodate future changes.

Analysis of Options:

Amazon SQS with a new Lambda function for transformation: This involves additional complexity in creating and managing multiple SQS queues and an extra Lambda function for data transformation.

Amazon SNS with message filtering: While SNS supports message filtering, it is more suited for pub/sub messaging patterns rather than event-driven processing requiring fine-grained control over the data sent to each function.

Amazon EventBridge with input transformers: EventBridge is designed for event-driven architectures, allowing for fine-grained control with input transformers that can modify and filter the event data sent to each target Lambda function, ensuring each function receives only the necessary information.

SQS with synchronous Lambda invocations: This approach adds unnecessary complexity with synchronous invocations and is not ideal for an event-driven, loosely coupled architecture.

Best Solution:

Amazon EventBridge with input transformers: This option provides the most flexible, scalable, and loosely coupled architecture, enabling each Lambda function to receive only the required subset of data.

Understanding the Requirement: The university wants to centralize management and automate backups for its AWS services (EC2, RDS, and DynamoDB), reducing reliance on custom scripts.

Analysis of Options:

Third-party backup software with AWS Storage Gateway: This solution introduces external dependencies and adds complexity compared to using native AWS services.

AWS Backup: Provides a centralized, fully managed service to automate and manage backups across various AWS services, including EC2, RDS, and DynamoDB.

AWS Config: Primarily used for compliance and configuration monitoring, not for backup management.

AWS Systems Manager State Manager: Useful for configuration management but not specifically designed for managing backups.

Best Solution:

AWS Backup: This service offers the necessary functionality to centralize and automate backups, providing a streamlined and integrated solution with minimal effort.

Requirement Analysis: The goal is to prevent accidental deletion of EBS snapshots while avoiding indefinite retention.

Recycle Bin for EBS Snapshots: AWS Recycle Bin allows for retention rules that prevent immediate deletion of snapshots, providing a safety net against accidental deletions.

Retention Rule: A 7-day retention rule ensures snapshots are not permanently deleted immediately, giving time to recover from accidental deletions.

Implementation:

Enable Recycle Bin in your AWS account.

Create a retention rule that specifies a 7-day period for EBS snapshots.

Apply this rule to all EBS snapshots.

Conclusion: This solution provides an automated way to prevent data loss from accidental deletions with minimal development effort.

References

AWS Recycle Bin:AWS Recycle Bin Documentation

Understanding the Requirement: The application experiences slow performance at the start of peak hours, but normalizes after a few hours. The goal is to ensure proper performance at the beginning of peak hours.

Analysis of Options:

Application Load Balancer: Ensures proper traffic distribution but does not address the need to have sufficient instances running at the start of peak hours.

Dynamic Scaling Policy Based on Memory or CPU Utilization: While dynamic scaling reacts to usage metrics, it may not preemptively scale in anticipation of peak hours, leading to delays as new instances are launched and become available.

Scheduled Scaling Policy: This allows the Auto Scaling group to launch instances ahead of time, ensuring that enough instances are available and ready to handle the increased load right at the start of peak hours.

Best Solution:

Scheduled Scaling Policy: This approach ensures that new instances are launched and ready before peak hours begin, addressing the slow performance issue at the start of peak periods.

Understanding the Requirement: The application running in a private subnet needs to store and retrieve data from S3 without data traveling over the public internet.

Analysis of Options:

NAT Gateway: Allows private subnets to access the internet but incurs additional costs and still routes traffic through the public internet.

AWS Storage Gateway: Provides hybrid cloud storage solutions but is not the most cost-effective for direct S3 access from within the VPC.

S3 Interface Endpoint: Provides private access to S3 but is generally used for specific use cases where more granular control is required, which might be overkill and more expensive.

S3 Gateway Endpoint: Provides private, cost-effective access to S3 from within the VPC without routing traffic through the public internet.

Best Solution:

S3 Gateway Endpoint: This option meets the requirements for secure, private access to S3 from a private subnet most cost-effectively.

Understanding the Requirement: The company needs logs to be highly available for 30 days for frequent analysis, retained for an additional 60 days for backup, and deleted after 90 days.

Analysis of Options:

Transition to S3 Standard after 30 days: Keeps logs in the same high-availability storage, not cost-effective.

Transition to S3 Standard-IA, then Glacier Flexible Retrieval after 90 days: Adds unnecessary cost and complexity since objects need to be accessible for only 30 days and then retained for 60 days.

Transition to Glacier Flexible Retrieval after 30 days: Not suitable for frequent access required in the first 30 days.

Transition to S3 One Zone-IA after 30 days, then Glacier Flexible Retrieval: Provides cost-effective storage for infrequently accessed logs after the initial 30-day period, then moves to the cheapest long-term storage before deletion.

Best Solution:

Transition to S3 One Zone-IA after 30 days, then Glacier Flexible Retrieval: This solution meets the requirements for high availability, cost-effective storage for backup, and scheduled deletion with the least cost.

Understanding the Requirement: EC2 instances need to upload data to S3 without using the public internet, and on-premises servers need to consume this data.

Analysis of Options:

Interface VPC Endpoint for EC2: Not relevant for accessing S3.

Gateway VPC Endpoint for S3 and Direct Connect: Provides private connectivity from EC2 instances to S3 and from on-premises to AWS, ensuring compliance with the requirement to avoid public internet.

Transit Gateway and Site-to-Site VPN: Adds unnecessary complexity and does not provide the same level of performance as Direct Connect.

Proxy EC2 Instances with NAT Gateways: Increases complexity and costs compared to a direct connection using VPC endpoints and Direct Connect.

Best Solution:

Gateway VPC Endpoint for S3 and Direct Connect: This solution ensures secure, private data transfer both within AWS and between on-premises and AWS, meeting the compliance requirements effectively.

Understanding the Requirement: The application running on EC2 instances in private subnets needs to securely connect to an Amazon SQS queue without exposing traffic to the public internet.

Analysis of Options:

Interface VPC Endpoint in Private Subnets: Allows private, secure connectivity to SQS without using the public internet.Configuring security groups ensures controlled access from EC2 instances.

Interface VPC Endpoint in Public Subnets: Not necessary for private EC2 instances and exposes additional security risks.

Gateway Endpoint: Gateway endpoints are not supported for SQS; they are used for services like S3 and DynamoDB.

NAT Gateway with IAM Role: Increases costs and complexity compared to using an interface VPC endpoint directly.

Best Solution:

Interface VPC Endpoint in Private Subnets: This option ensures secure, private connectivity to SQS, meeting the requirement with minimal complexity and optimal security.

Requirement Analysis: The company needs to scale throughput for uploading large files to S3 and downloading them to EC2 instances.

S3 Multipart Uploads: This method allows for the parallel upload of parts of a file, improving upload efficiency and reliability.

Parallel Fetching: Fetching multiple byte-ranges in parallel from S3 improves download performance.

Implementation:

For uploads, use the S3 multipart upload API to upload files in parallel.

For downloads, use the S3 API to request multiple byte-ranges concurrently.

Conclusion: These solutions effectively scale throughput and improve the performance of both uploads and downloads.

References

S3 Multipart Upload:Amazon S3 Multipart Upload

Parallel Fetching:S3 Byte-Range Fetches

Understanding the Requirement: The job is stateful, cannot tolerate interruptions, and needs to run reliably for at least one hour each week.

Analysis of Options:

AWS Fargate with Amazon ECS and EventBridge: This option provides a serverless compute engine for containers that can run stateful tasks reliably. Using EventBridge Scheduler, the job can be triggered automatically at the specified time without manual intervention.

AWS Lambda with EventBridge: Lambda functions are not suitable for long-running stateful jobs since they have a maximum execution time of 15 minutes.

EC2 Spot Instances: Spot Instances can be interrupted, making them unsuitable for a stateful job that cannot tolerate interruptions.

AWS DataSync: This service is primarily for moving large amounts of data and is not designed to run stateful analysis jobs.

Best Option for Reliable, Scheduled Execution:

The Fargate task on ECS with EventBridge Scheduler meets all requirements, providing the necessary reliability and scheduling capabilities without interruption risks.

Understanding the Requirement: The company needs to map its IT infrastructure to identify and enforce security policies, with the ability to quickly query and identify security risks.

Analysis of Options:

Amazon RDS: While suitable for relational data, it is not optimized for handling complex relationships and querying those relationships, which is essential for an IT infrastructure map.

Amazon Neptune: A graph database service designed for handling highly connected data. It uses SPARQL to query graph data efficiently, making it ideal for mapping IT infrastructure and identifying relationships that pose security risks.

Amazon Redshift: A data warehouse solution optimized for complex queries on large datasets but not specifically for graph data.

Amazon DynamoDB: A NoSQL database that uses PartiQL for querying, but it is not optimized for complex relationships in graph data.

Best Option for Mapping and Querying IT Infrastructure:

Amazon Neptune provides the most suitable solution with the least operational overhead. It is purpose-built for graph data and enables efficient querying of complex relationships to identify security risks.

Understanding the Requirement: The company needs to enable communication between VPCs across multiple AWS Regions with minimal administrative effort.

Analysis of Options:

VPC Peering: Managing multiple VPC peering connections across regions is complex and difficult to scale, leading to significant administrative overhead.

AWS Direct Connect Gateways: Primarily used for creating private connections between AWS and on-premises environments, not for inter-VPC communication across regions.

AWS Transit Gateway: Simplifies VPC interconnections within a region and supports Transit Gateway peering for cross-region connectivity, reducing administrative complexity.

AWS PrivateLink: Used for accessing AWS services and third-party services over a private connection, not for inter-VPC communication.

Best Solution:

AWS Transit Gateway with Transit Gateway Peering: This option provides a scalable and efficient solution for managing VPC communications both within a single region and across multiple regions with minimal administrative overhead.

Requirement Analysis: The application involves batch processing of large data transfers between EC2 instances.

Data Transfer Costs: Data transfer within the same Availability Zone (AZ) is typically free, while cross-AZ transfers incur additional costs.

Implementation:

Launch all EC2 instances within the same Availability Zone.

Ensure the instances are part of the same subnet to facilitate seamless data transfer.

Conclusion: Placing all EC2 instances in the same AZ reduces data transfer costs significantly without affecting the application’s functionality.

References

AWS Pricing:AWS Data Transfer Pricing

Requirement Analysis: The product catalog search is causing high CPU utilization on the MySQL DB instance, slowing down the website.

ElastiCache Overview: Amazon ElastiCache for Redis can be used to cache frequently accessed data, reducing load on the database.

Lazy Loading: This caching strategy loads data into the cache only when it is requested, improving response times for repeated queries.

Implementation:

Set up an ElastiCache for Redis cluster.

Modify the application to check the cache before querying the database.

Use lazy loading to populate the cache on cache misses.

Conclusion: This approach reduces database load and improves website performance during product catalog searches.

References

Amazon ElastiCache:ElastiCache Documentation

Caching Strategies:ElastiCache Caching Strategies

 This solution meets the requirements with the least operational overhead because it uses AWS services that are fully managed and scalable. The EventBridge rule can detect the DeleteKey operation from the AWS KMS API and trigger the Systems Manager Automation runbook, which can execute a predefined workflow to cancel the key deletion. The EventBridge rule can also publish an SNS message to the topic that sends an email notification to the administrators. This way, the company can prevent the accidental deletion of KMS keys and notify the administrators of any attempts to delete them.

Option A is not a valid solution because AWS Config rules are used to evaluate the configuration of AWS resources, not to cancel the deletion of KMS keys. Option B is not a valid solution because it requires creating and maintaining a custom Lambda function that has logic to prevent KMS key deletion, which adds operational overhead. Option D is not a valid solution because it only notifies the administrators of the DeleteKey operation, but does not cancel it.

Requirement Analysis: Need quick, cost-effective, and consistent access to on-premises network services from multiple AWS accounts.

AWS Transit Gateway: Centralizes and simplifies network management by connecting VPCs and on-premises networks.

Direct Connect Integration: Assigning DX to the transit gateway ensures consistent and high-performance connectivity.

Operational Overhead: Minimal because Transit Gateway simplifies routing and management.

Implementation:

Set up AWS Transit Gateway.

Connect new AWS accounts to the Transit Gateway.

Route traffic through Transit Gateway to on-premises servers via Direct Connect.

Conclusion: This solution provides a scalable, cost-effective, and low-overhead method to meet connectivity requirements.

References

AWS Transit Gateway:AWS Transit Gateway Documentation

Understanding the Requirement: The company wants to restrict each application to its specific prefix in an S3 bucket and have granular control over the objects under each prefix.

Analysis of Options:

Dedicated S3 Access Points: Provides a scalable and flexible way to manage access to S3 buckets, allowing specific policies to be attached to each access point, thereby controlling access at the prefix level.

S3 Batch Operations: Suitable for large-scale changes but involves more operational overhead and does not dynamically control future access.

Replication to new S3 buckets: Involves unnecessary duplication of data and increased storage costs, and operational overhead for managing multiple buckets.

Combination of replication and access points: Adds unnecessary complexity and overhead compared to using access points directly.

Best Solution:

Dedicated S3 Access Points: This provides the least operational overhead while meeting the requirements for prefix-level access control and granular management.

Understanding the Requirement: Senior leadership wants a custom dashboard displaying NAT gateway costs daily, starting from the beginning of the current month.

Analysis of Options:

QuickSight with DataSync: While QuickSight is suitable for dashboards, DataSync is not designed for querying and analyzing data reports.

QuickSight with Athena: QuickSight can visualize data queried by Athena, which is designed to analyze data directly from S3.

CloudWatch with DataSync: CloudWatch is primarily for monitoring metrics, not for creating detailed cost analysis dashboards.

CloudWatch with Athena: Similarly, using CloudWatch with Athena does not align well with the requirement for a visual dashboard.

Best Solution for Visualization and Querying:

Amazon QuickSight with Athena: This combination allows for powerful data visualization and querying capabilities. QuickSight can create dynamic dashboards, while Athena efficiently queries the cost and usage report data stored in S3.

AWS Outposts is a fully managed service that delivers AWS infrastructure and services to virtually any on-premises or edge location for a consistent hybrid experience. AWS Outposts supports Amazon EKS, which is a managed service that makes it easy to run Kubernetes on AWS and on-premises. By installing an AWS Outposts rack in the company’s data center, the company can run containers in a Kubernetes environment using Amazon EKS and other AWS managed services, while keeping the data locally in the company’s data center and meeting the compliance requirements. AWS Outposts also provides a seamless connection to the local AWS Region for access to a broad range of AWS services.

Option A is not a valid solution because AWS Local Zones are not deployed in the company’s data center, but in large metropolitan areas closer to end users. AWS Local Zones are owned, managed, and operated by AWS, and they provide low-latency access to the public internet and the local AWS Region. Option B is not a valid solution because AWS Snowmobile is a service that transports exabytes of data to AWS using a 45-foot long ruggedized shipping container pulled by a semi-trailer truck. AWS Snowmobile is not designed for running containers or AWS managed services on-premises, but for large-scale data migration. Option D is not a valid solution because AWS Snowball Edge Storage Optimized is a device that provides 80 TB of HDD or 210 TB of NVMe storage capacity for data transfer and edge computing. AWS Snowball Edge Storage Optimized does not support Amazon EKS or other AWS managed services, and it is not suitable for running containers in a Kubernetes environment.

Understanding the Requirement: The data science team needs to securely share selective data with the engineering team across multiple AWS accounts with minimal operational overhead.

Analysis of Options:

Copy data to a common account: Involves data duplication and increased storage costs, and requires managing additional permissions.

Lake Formation permissions Grant command: This method can be effective but may involve significant operational overhead if managing permissions across multiple accounts and datasets manually.

AWS Data Exchange: Designed for sharing data externally or between organizations, which adds unnecessary complexity for internal sharing within the same organization.

Lake Formation tag-based access control: Provides a scalable and efficient way to manage access permissions based on tags, allowing fine-grained control and simplified management across accounts.

Best Solution:

Lake Formation tag-based access control: This solution meets the requirements with the least operational overhead, allowing efficient management of cross-account permissions and secure data sharing.

Understanding the Requirement: The company needs to monitor and notify changes to the OU hierarchy with minimal operational overhead.

Analysis of Options:

AWS Control Tower with Account Drift Notifications: AWS Control Tower provides automated account provisioning and governance, including drift detection and notifications for changes in the OU hierarchy.

AWS Control Tower with AWS Config: AWS Config provides resource configuration tracking but is more complex compared to drift notifications directly available in Control Tower.

AWS Service Catalog with CloudTrail: While CloudTrail tracks changes, setting up notification mechanisms involves more operational overhead.

AWS CloudFormation with Drift Detection: Suitable for tracking configuration changes but less efficient for monitoring OU hierarchy changes compared to Control Tower's built-in features.

Best Solution:

AWS Control Tower with Account Drift Notifications: Provides a streamlined and efficient way to detect and notify changes in the OU hierarchy with minimal operational overhead.

Understanding the Requirement: The company wants to maximize cost savings for their application over the next three years, with the flexibility to change the instance family and sizes within the next six months based on application popularity and usage.

Analysis of Options:

Compute Savings Plan: This plan offers the most flexibility, allowing the company to change instance families, sizes, and regions. It applies to EC2, AWS Fargate, and AWS Lambda, offering significant cost savings with this flexibility.

EC2 Instance Savings Plan: This plan is less flexible than the Compute Savings Plan, as it only applies to EC2 instances and allows changes within a specific instance family.

Zonal Reserved Instances: These provide a discount on EC2 instances but are tied to a specific availability zone and instance type, offering the least flexibility.

Standard Reserved Instances: These offer discounts on EC2 instances but with more restrictions compared to Savings Plans, particularly when changing instance types and families.

Best Option for Flexibility and Savings:

The Compute Savings Plan is the most cost-effective solution because it allows the company to maintain flexibility while still achieving significant cost savings. This is critical for adapting to changing application demands without being locked into specific instance types or families.

Understanding the Requirement: The company needs to keep daily EBS snapshots for 1 month and retain monthly snapshots for 7 years due to new regulations.

Analysis of Options:

S3 Glacier Deep Archive: Moving snapshots to S3 Glacier Deep Archive involves additional complexity and might not be the most straightforward approach for EBS snapshots.

EBS Snapshots Archive: This is a cost-effective solution designed specifically for long-term storage of EBS snapshots.

Standard Tier for 7 Years: Keeping snapshots in the standard tier for 7 years is more expensive and does not optimize costs.

EBS Direct APIs to S3: This involves additional operational overhead and is not the most cost-effective approach compared to using EBS Snapshots Archive.

Best Solution:

EBS Snapshots Archive: Adding a policy to move monthly snapshots to the EBS Snapshots Archive for long-term retention is the most cost-effective and administratively simple solution.

Understanding the Requirement: The company needs to collect transaction data in real time, avoid data duplication, and perform additional processing without managing infrastructure.

Analysis of Options:

SQS FIFO Queue with Lambda: Ensures data is processed in order and prevents duplication.Lambda handles processing without the need to manage servers.

SQS FIFO Queue with AWS Batch: While this ensures no duplicates, it introduces additional complexity and management overhead with AWS Batch.

Kinesis Data Streams with AWS Batch and EC2: Involves more components and infrastructure management, which is against the requirement of not wanting to manage infrastructure.

Step Functions with Lambda and EC2: Involves setting up multiple services and still requires managing EC2 instances, increasing complexity.

Best Solution:

SQS FIFO Queue with Lambda: This combination ensures real-time data processing, prevents duplication, and minimizes infrastructure management, meeting all requirements efficiently.

Requirement Analysis: The Lambda function in the administrator account needs to process messages from an SNS topic in the production account.

IAM Policy for SNS Topic: Allows the Lambda function to subscribe and be invoked by the SNS topic.

SQS Queue for Buffering: Using an SQS queue provides reliable message delivery and buffering between SNS and Lambda, ensuring all messages are processed.

Implementation:

Create an SQS queue in the administrator account.

Set an IAM policy to allow the Lambda function to subscribe to and be invoked by the SNS topic.

Configure the SNS topic to send messages to the SQS queue.

Set up the SQS queue to trigger the Lambda function.

Conclusion: This solution ensures reliable message delivery and processing with appropriate permissions.

References

Amazon SNS:Amazon SNS Documentation

Amazon SQS:Amazon SQS Documentation

AWS Lambda:AWS Lambda Documentation

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data for analytics. AWS Glue can automatically discover your data in Amazon S3 and catalog it, so you can query and search the data using SQL. AWS Glue can also run serverless ETL jobs using Apache Spark and Python to transform and load your data into various destinations, such as Amazon Redshift, Amazon Athena, or Amazon Aurora. AWS Glue is a serverless service, so you only pay for the resources consumed by the jobs, and you don’t need to provision or manage any infrastructure.

Amazon Redshift is a fully managed, petabyte-scale data warehouse service that enables you to use standard SQL and your existing business intelligence (BI) tools to analyze your data. Amazon Redshift also supports massively parallel processing (MPP), which means it can distribute and execute queries across multiple nodes in parallel, delivering fast performance and scalability. Amazon Redshift Serverless is a new option that automatically scales query compute capacity based on the queries being run, so you don’t need to manage clusters or capacity. You only pay for the query processing time and the storage consumed by your data.

Amazon Redshift ML is a feature that enables you to create, train, and deploy machine learning (ML) models using familiar SQL commands. Amazon Redshift ML can automatically discover the best model and hyperparameters for your data, and store the model in Amazon SageMaker, a fully managed service that provides a comprehensive set of tools for building, training, and deploying ML models. You can then use SQL functions to apply the model to your data in Amazon Redshift and generate predictions.

The combination of AWS Glue, Amazon Redshift Serverless, and Amazon Redshift ML meets the requirements of the question, as it provides a serverless, scalable, and SQL-based solution to transform, load, and analyze the data from the Amazon S3 data lake, and to create and train ML models on the data.

Option A is not correct, because Amazon EMR is not a serverless service. Amazon EMR is a managed service that simplifies running Apache Spark, Apache Hadoop, and other big data frameworks on AWS. Amazon EMR requires you to launch and configure clusters of EC2 instances to run your ETL jobs, which adds complexity and cost compared to AWS Glue.

Option B is not correct, because Amazon Aurora Serverless is not a data warehouse service, and it does not support MPP. Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora, a relational database service that is compatible with MySQL and PostgreSQL. Amazon Aurora Serverless can automatically adjust the database capacity based on the traffic, but it does not distribute the data and queries across multiple nodes like Amazon Redshift does. Amazon Aurora Serverless is more suitable for transactional workloads than analytical workloads.

Option D is not correct, because Amazon Athena is not a data warehouse service, and it does not support MPP. Amazon Athena is an interactive query service that enables you to analyze data in Amazon S3 using standard SQL. Amazon Athena is serverless, so you only pay for the queries you run, and you don’t need to load the data into a database. However, Amazon Athena does not store the data in a columnar format, compress the data, or optimize the query execution plan like Amazon Redshift does. Amazon Athena is more suitable for ad-hoc queries than complex analytics and ML.

Understanding the Requirement: The company needs a disaster recovery solution for FSx for NetApp ONTAP in a secondary region, accessible using the same protocols (CIFS and NFS).

Analysis of Options:

Lambda Function and S3: Involves copying data to S3, which changes the access protocols and increases operational overhead.

AWS Backup: Suitable for backup and restore but not for real-time or near-real-time replication for disaster recovery.

FSx for ONTAP with SnapMirror: SnapMirror provides efficient replication between ONTAP instances, maintaining access protocols and requiring minimal operational overhead.

Amazon EFS: Does not support CIFS and requires migrating data, increasing complexity and changing access protocols.

Best Solution:

FSx for ONTAP with SnapMirror: This solution ensures seamless disaster recovery with the same access protocols and minimal operational overhead.

Understanding the Requirement: The company needs to process images as they are uploaded to S3 in a cost-effective manner, currently using an EC2 Spot Fleet for nightly processing.

Analysis of Options:

S3 Event Notifications to SQS and Lambda: This setup allows for event-driven processing with Lambda, which scales automatically based on the number of messages in the queue. It is cost-effective as Lambda charges are based on the compute time used.

S3 Event Notifications to SQS and EC2 Reserved Instance: Involves managing EC2 instances, which adds operational overhead and is less cost-effective.

S3 Event Notifications to SNS and ECS: More complex and potentially less cost-effective compared to using Lambda for simple processing tasks.

S3 Event Notifications to SNS: Requires additional configuration and management to process messages.

Best Solution:

S3 Event Notifications to SQS and Lambda: This option is the most cost-effective and scalable, leveraging AWS managed services with minimal operational overhead.

Understanding the Requirement: The company wants to centrally collect security data with minimal development effort to assess and improve security across all workloads.

Analysis of Options:

Amazon Security Lake: This is a purpose-built service for centralizing security data from across AWS services and third-party sources into a data lake. It provides native integration and requires minimal development effort to set up.

AWS Lake Formation with AWS Glue: While this can be used to create a data lake, it requires more development effort to set up and configure Glue crawlers for ingestion.

AWS Lambda with S3: This approach involves custom development to collect and process security data before storing it in S3, which requires more effort.

AWS DMS to RDS: AWS Database Migration Service is typically used for database migrations and is not suited for collecting and analyzing security data.

Best Option for Minimal Development Effort:

Amazon Security Lake provides the least development effort for setting up a centralized repository for security data. It simplifies data ingestion and management, making it the most efficient solution for this use case.

Understanding the Requirements: The company needs to optimize costs and has the flexibility to change EC2 instance types and families frequently (every 2-3 months).

Savings Plans Overview: Savings Plans offer significant savings over On-Demand pricing, with the flexibility to use any instance type and family within a region.

No Upfront Compute Savings Plan: This plan allows for cost optimization without any upfront payment, offering flexibility to change instance types and families.

Term Selection: A 1-year term is appropriate for balancing cost savings and flexibility given the frequent changes in instance types.

Conclusion: A No Upfront Compute Savings Plan for a 1-year term provides the needed flexibility and cost savings without the commitment and inflexibility of Reserved Instances.

References

AWS Savings Plans:AWS Savings Plans

AWS Cost Management Documentation:AWS Cost Management

A service control policy (SCP) is a type of policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs do not grant permissions; instead, they specify the maximum permissions for an organization or organizational unit (OU). SCPs limit permissions that identity-basedpolicies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions to entities. You can use SCPs to restrict the actions that the root user in an account can perform. You can also use SCPs to prevent users or roles in any account from creating or modifying certain AWS resources, such as EC2 instances with public IP addresses or IAM resources with inline policies or “". For example, you can create an SCP that denies the ec2:RunInstances action if the request includes the AssociatePublicIpAddress parameter set to true. You can also create an SCP that denies the iam:PutUserPolicy and iam:PutRolePolicy actions if the request includes a policy document that contains "”. By attaching these SCPs to your organization or OUs, you can prevent the deployment of AWS CloudFormation stacks that violate these rules.

AWS Control Tower proactive controls are guardrails that enforce preventive policies on your accounts and resources. Proactive guardrails are implemented as AWS Organizations service control policies (SCPs) and AWS Config rules. However, AWS Control Tower does not provide a built-in proactive guardrail to block EC2 instances with public IP addresses or IAM resources with inline policies or “*”. You would have to create your own custom guardrails using AWS CloudFormation templates and SCPs, which is essentially the same as option D. Therefore, option A is not correct.

AWS Control Tower detective controls are guardrails that detect and alert on policy violations in your accounts and resources. Detective guardrails are implemented as AWS Config rules and Amazon CloudWatch alarms. Detective guardrails do not block or remediate noncompliant resources; they only notify you of the issues. Therefore, option B is not correct.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config rules are customizable, AWS Lambda functions that AWS Config invokes to evaluate your AWS resource configurations. You can use AWS Config rules to check for compliance with your policies, such as ensuring that EC2 instances have public IP addresses disabled or IAM resources do not have inline policies or “*”. However, AWS Config rules alone cannot prevent the deployment of AWS CloudFormation stacks that violate these policies; they can only report the compliance status. You would need to use another service, such as AWS Systems Manager Session Manager, to run automation scripts to delete or modify the noncompliant resources. This would require additional configuration and permissions, and may not be the most efficient or secure way to enforce your policies. Therefore, option C is not correct.

Understanding the Requirement: The robotics company needs a public load balancer to ensure seamless communication with backend services, route traffic based on query strings, and encrypt traffic.

Analysis of Options:

Network Load Balancer with ACM Certificate: NLBs primarily operate at the transport layer (Layer 4) and do not natively support query parameter-based routing, which is a Layer 7 feature.

Gateway Load Balancer with IAM Certificate: Gateway Load Balancers are designed for deploying, scaling, and managing third-party virtual appliances and do not support HTTP path-based or query parameter-based routing.

Application Load Balancer with ACM Certificate: ALBs operate at the application layer (Layer 7), supporting features like query parameter-based routing and SSL/TLS termination with ACM certificates.

Network Load Balancer with IAM Certificate: As with the first option, NLBs do not support query parameter-based routing, making it unsuitable for this requirement.

Best Solution:

Application Load Balancer with ACM Certificate: This option provides the necessary Layer 7 routing capabilities and SSL/TLS termination to meet the requirements for query parameter-based routing and encrypted communication.

Understanding the Requirement: The company needs to automatically detect and respond to suspicious or unexpected behavior in its AWS environment, beyond the existing AWS WAF setup.

Analysis of Options:

Amazon GuardDuty: Provides continuous monitoring and threat detection across AWS accounts and resources, including integration with AWS WAF for automated response.

AWS Firewall Manager: Manages firewall rules across multiple accounts but is more focused on central management than threat detection.

Amazon Inspector: Focuses on security assessments and vulnerability management rather than real-time threat detection.

Amazon Macie: Primarily used for data security and privacy, not comprehensive threat detection.

Best Solution:

Amazon GuardDuty with EventBridge and Lambda: This combination ensures continuous threat detection and automated response by updating AWS WAF rules based on GuardDuty findings.

Understanding the Requirement: The application needs to write to multiple block storage volumes in multiple EC2 Nitro-based instances simultaneously to achieve higher availability.

Analysis of Options:

General Purpose SSD (gp3) with Multi-Attach: Supports Multi-Attach but does not provide the highest performance required for critical applications.

Throughput Optimized HDD (st1) with Multi-Attach: Not suitable for applications requiring high performance and low latency.

Provisioned IOPS SSD (io2) with Multi-Attach: Provides high performance and durability, suitable for applications requiring simultaneous writes and high availability.

General Purpose SSD (gp2) with Multi-Attach: Similar to gp3 but with less flexibility and performance.

Best Solution:

Provisioned IOPS SSD (io2) with Multi-Attach: This solution ensures the highest performance and availability for the application by allowing multiple EC2 instances to attach to and write to the same EBS volume simultaneously.

Understanding the Requirement: The company needs to store a copy of all new photos in the us-east-1 Region from an S3 bucket in the us-west-1 Region.

Analysis of Options:

Cross-Region Replication: Automatically replicates objects across regions with minimal operational effort once configured.

CORS Configuration: Used for allowing resources on a web page to be requested from another domain, not for replication.

S3 Lifecycle Rule: Manages the transition of objects between storage classes within the same bucket, not for cross-region replication.

S3 Event Notifications with Lambda: Requires additional configuration and management compared to Cross-Region Replication.

Best Solution:

S3 Cross-Region Replication: This solution provides an automated and efficient way to replicate objects to another region, meeting the requirement with the least operational effort.

Understanding the Requirement: The company wants to migrate an application to AWS, increase its availability, and use AWS WAF in the architecture.

Analysis of Options:

Auto Scaling group with ALB and WAF: This option provides high availability by distributing instances across multiple Availability Zones. The ALB ensures even traffic distribution, and AWS WAF provides security at the application layer.

Cluster placement group with ALB and WAF: Cluster placement groups are for low-latency networking within a single AZ, which does not provide the high availability across AZs.

Two EC2 instances with ALB and WAF: This setup provides some availability but does not scale automatically, missing the benefits of an Auto Scaling group.

Auto Scaling group with WAF directly: AWS WAF cannot be directly connected to an Auto Scaling group; it needs to be attached to an ALB, CloudFront distribution, or API Gateway.

Best Solution:

Auto Scaling group with ALB and WAF: This configuration ensures high availability, scalability, and security, meeting all the requirements effectively.

Understanding the Requirement: The company needs to copy files generated by an on-premises application to AWS without modifying the application code. The files are stored on an SMB file share and require a low-latency connection to the application servers.

Analysis of Options:

Amazon Elastic File System (EFS): EFS is designed for Linux-based workloads and does not natively support SMB file shares.

Amazon FSx for Windows File Server: FSx supports SMB file shares but would require changes to the application or additional infrastructure to connect on-premises systems.

AWS Snowball: Suitable for large data transfers but not for continuous, low-latency file copying.

AWS Storage Gateway: Provides a hybrid cloud storage solution, supporting SMB file shares and enabling seamless copying of files to AWS without requiring changes to the application.

Best Solution:

AWS Storage Gateway: This service meets the requirement for a low-latency, seamless file transfer solution from on-premises to AWS without modifying the application code.

Understanding the Requirement: The company needs to migrate applications to AWS, maintaining isolated networks while allowing communication with a shared services VPC and among the applications.

Analysis of Options:

Software VPN Tunnels: This approach involves high administrative overhead and complexity in managing multiple VPN connections.

VPC Peering: While suitable for smaller numbers of VPCs, it becomes complex and hard to manage at scale with over 100 applications.

Direct Connect: Primarily used for high-bandwidth, low-latency connections to on-premises networks, not inter-VPC communication.

Transit Gateway: Simplifies network management by acting as a central hub, allowing easy routing and scalability as more applications are migrated.

Best Solution:

Transit Gateway: This provides a scalable, efficient solution with minimal administrative overhead for managing network connections between multiple VPCs and the shared services VPC.

Requirement Analysis: The goal is to migrate from Microsoft SQL Server to Amazon Aurora PostgreSQL with minimal application code changes.

Babelfish for Aurora PostgreSQL: Babelfish allows Aurora PostgreSQL to understand SQL Server queries natively, reducing the need for application code changes.

AWS Schema Conversion Tool (SCT): This tool helps in converting the database schema from SQL Server to PostgreSQL.

AWS Database Migration Service (DMS): DMS can be used to migrate data from SQL Server to Aurora PostgreSQL seamlessly.

Combined Approach: Enabling Babelfish addresses the SQL query compatibility, while SCT and DMS handle the schema and data migration.

References

Babelfish for Aurora PostgreSQL:Babelfish Documentation

AWS SCT and DMS:AWS Database Migration Service

Amazon EFSwithMax I/O performance modeis designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn't support the high throughput needed for large, concurrent workloads.

AWS References:

Amazon EFS Performance Modes

This solution is the most cost-effective and scalable for analyzing large amounts of web traffic logs.

Amazon S3: Storing the logs in Amazon S3 is highly scalable, durable, and cost-effective. S3 is designed to handle large-scale data storage, which is ideal for storing tens of gigabytes of log data generated daily by multiple websites.

Amazon Athena: Athena is a serverless, interactive query service that allows you to analyze data in S3 using standard SQL. It works directly with the data stored in S3, so there’s no need to load the data into a database, which saves on costs and reduces complexity. Athena charges based on the amount of data scanned by queries, making it a cost-effective solution for on-demand analysis that only occurs once a week.

Why Not Other Options?:

Option B (Amazon RDS): Storing logs in a relational database like Amazon RDS would be more expensive due to the storage and I/O costs associated with RDS. Additionally, it would require more management overhead.

Option C (Amazon OpenSearch Service): OpenSearch is a good option for full-text search and analytics on log data, but it might be more costly and complex to manage compared to the simplicity and cost-effectiveness of Athena for periodic SQL-based queries.

Option D (Amazon EMR): While EMR can handle large-scale data processing, it involves more operational overhead and might be overkill for the type of ad-hoc, SQL-based analysis required here. Additionally, EMR costs can be higher due to the need to maintain a cluster.

AWS References:

Amazon S3- Information on how to store and manage data in Amazon S3.

Amazon Athena- Documentation on using Amazon Athena for querying data stored in S3 using SQL.

Amazon S3 Standard-IA: This storage class is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard while still providing high availability and durability.

Access Patterns: Since the files are frequently accessed in the first 30 days and rarely accessed afterward, transitioning them to S3 Standard-IA after 30 days aligns with their access patterns and reduces storage costs significantly.

Lifecycle Policy: Implementing a lifecycle policy to transition the files to S3 Standard-IA ensures automatic management of the data lifecycle, moving files to a lower-cost storage class without manual intervention. Deleting the files after 4 years further optimizes costs by removing data that is no longer needed.

This solution is designed to provide high availability and low-latency access to block storage across multiple Availability Zones with minimal implementation effort.

Windows Server Cluster Across AZs: Configuring a Windows Server Failover Cluster (WSFC) that spans two Availability Zones ensures that the application can failover from one instance to another in case of a failure, meeting the high availability requirement.

Amazon FSx for Windows File Server: FSx for Windows File Server provides fully managed Windows file storage that is accessible via the SMB protocol, which is suitable for Windows-based applications. It offers high availability and can be used as shared storage between the cluster nodes, ensuring that both nodes have access to the same data with low latency.

Why Not Other Options?:

Option B (EBS with application-level replication): This requires complex configuration and management, as EBS volumes cannot be directly shared across AZs. Application-level replication is more complex and prone to errors.

Option C (FSx for NetApp ONTAP with iSCSI): While this is a viable option, it introduces additional complexity with iSCSI and requires more specialized knowledge for setup and management.

Option D (EBS with EBS-level replication): EBS-level replication is not natively supported across AZs, and setting up a custom replication solution would increase the implementation effort.

AWS References:

Amazon FSx for Windows File Server- Overview and benefits of using FSx for Windows File Server.

Windows Server Failover Clustering on AWS- Guide on setting up a Windows Server cluster on AWS.

Amazon Timestreamis purpose-built for storing and analyzing time-series data like telemetry.

Option Aleverages Timestream, SageMaker for ML, and QuickSight for visualization, meeting all requirements with minimal complexity.

Option Binvolves more complex DynamoDB-EMR integration.

Option Cuses Neptune, which is designed for graph databases, not telemetry data.

Option Dincorrectly uses Athena for visualization instead of QuickSight.

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

The issue described in the question, where incoming traffic seems to favor one EC2 instance, is often caused by session affinity (also known as sticky sessions) being enabled on the Application Load Balancer (ALB). When session affinity is enabled, the ALB routes requests from the same client to the same EC2 instance. This can cause an imbalance in traffic distribution, leading to performance bottlenecks on certain instances while others remain underutilized.

To resolve this issue, disabling session affinity ensures that the ALB distributes incoming traffic evenly across all EC2 instances, allowing better load distribution and reducing latency. The ALB will rely on its round-robin or least outstanding requests algorithm (depending on the configuration) to distribute traffic more evenly across instances.

Option B (Network Load Balancer): The NLB is designed for Layer 4 (TCP) traffic and low latency use cases, but it is not needed here as the problem is with load balancing logic at the application layer (Layer 7). The ALB is more appropriate for HTTP/HTTPS traffic.

Option C (Increase EC2 Instances): Adding more EC2 instances does not solve the root issue of uneven traffic distribution.

Option D (Health Check Frequency): Adjusting health check frequency won't address the imbalance caused by session affinity.

AWS References:

Application Load Balancer Sticky Sessions

The best solution to enforce encryption at rest for Amazon EBS volumes is to use anIAM policyto restrict the creation of unencrypted volumes. To automatically identify and remediate unencryptedvolumes, you can useAWS Configrules, which continuously monitor the compliance of resources, andAWS Systems Managerto automate the remediation by encrypting existing unencrypted volumes. This setup requires minimal administrative overhead while ensuring compliance.

Option B (KMS): KMS is for managing encryption keys, but Config and Systems Manager provide a better solution for automatic detection and enforcement.

Option C (Macie): Macie is for data classification and is not suitable for this use case.

Option D (Inspector): Inspector is used for security vulnerabilities, not encryption compliance.

AWS References:

AWS Config Rules

AWS Systems Manager

Amazon RDS Proxy: RDS Proxy is a fully managed, highly available database proxy that makes applications more resilient to database failures by pooling and sharing connections, and it can automatically handle database failovers.

Reduced Failover Time: By using RDS Proxy, the connection management between the application and the database is improved, reducing failover times significantly. RDS Proxy maintains connections in a connection pool and reduces the time required to re-establish connections during a failover.

Configuration:

Create an RDS Proxy instance.

Configure the proxy to connect to the RDS for PostgreSQL DB instance.

Modify the application configuration to use the RDS Proxy endpoint instead of the direct database endpoint.

Operational Benefits: This solution provides high availability and reduces application timeouts during failovers with minimal changes to the application code.

Edge-optimized API endpointsroute requests through CloudFront, reducing latency for global users.

Option Acorrectly implements edge-optimization, caching, and compression to minimize latency.

Options B and Ddo not use edge optimization, leading to higher latency for global users.

Reserved concurrency inOptions C and Dimproves backend scaling but does not address global latency directly.

This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

Option Bensures the use of S3 Object Lock and Versioning to meet compliance for immutability. CloudFront enhances performance while a bucket policy ensures secure access.

Option Alacks immutability safeguards.

Option Cintroduces unnecessary complexity.

Option Dmisses out on additional security benefits offered by CloudFront.

AWSSecrets Managercan integrate directly with Amazon RDS for automatic and seamless password rotation. Secrets Manager handles the complexity of password management, including generating strong passwords and rotating them at a defined interval (e.g., every 30 days). It also automatically updates the connection information for RDS, minimizing operational overhead.

Option A (Lambda with EventBridge): While possible, this requires custom coding and operational management of Lambda, which introduces additional complexity.

Option B (Manual password change): Using the modify-db-instance command requires manual intervention and is not automated, leading to more operational effort.

Option D (Parameter Store): Systems Manager Parameter Store is less specialized for password management than Secrets Manager and does not have built-in automated rotation for RDS credentials.

AWS References:

AWS Secrets Manager Rotation for RDS

Amazon FSx for Lustreis a high-performance, fully managed file system that is ideal for applications requiring low-latency access to shared storage, especially in use cases like gaming where high throughput and low latency are essential. It integrates easily with EC2 instances, providing fast and scalable shared storage, and supports custom protocols for specific application needs.

Option A (FSx File Gateway): FSx File Gateway is designed for hybrid cloud storage and is not suited for high-performance gaming workloads.

Option B (EC2 Windows instance): Setting up a file share on a Windows instance would introduce additional administrative overhead and would not provide the necessary performance.

Option C (EFS with Lustre): While Lustre is integrated with FSx, EFS does not natively support Lustre.

AWS References:

Amazon FSx for Lustre

This solution is the most scalable and efficient way to handle large volumes of survey data while automating sentiment analysis:

API Gateway and SQS: The survey results are sent to API Gateway, which forwards the data to an SQS queue. SQS can handle large volumes of messages and ensures that messages are not lost.

AWS Lambda: Lambda is triggered by polling the SQS queue, where it processes the survey data.

Amazon Comprehend: Comprehend is used for sentiment analysis, providing insights into customer satisfaction.

DynamoDB with TTL: Results are stored in DynamoDB with aTime to Live (TTL)attribute set to expire after 365 days, automatically removing old data and reducing storage costs.

Option B (EC2 API): Running an API on EC2 requires more maintenance and scalability management compared to API Gateway.

Option C (S3 and Rekognition): Amazon Rekognition is for image and video analysis, not sentiment analysis.

Option D (Amazon Lex): Amazon Lex is used for building conversational interfaces, not sentiment analysis.

AWS References:

Amazon Comprehend for Sentiment Analysis

Amazon SQS

DynamoDB TTL

For processing thousands of images and generating large files while minimizing manual tasks and operational overhead, usingAWS Batchis the best solution. AWS Batch allows you to run large-scale, parallel, and managed batch computing jobs without needing to manage the underlying infrastructure.

AWS Batch: Automates the image processing jobs, dynamically allocating the necessary resources based on the job requirements, which reduces operational overhead.

AWS Step Functions: Orchestrates the entire image processing workflow, ensuring that tasks are executed in the correct sequence, improving manageability.

Amazon S3: Stores the processed files, providing scalable and cost-effective storage.

Option A (ECS with EC2 Spot Instances): While cost-effective, managing ECS and Spot Instances involves more operational effort.

Option C (Lambda with EC2 Spot): Lambda functions have size and duration limitations, making them less suited for large image processing tasks.

Option D (EC2 with Step Functions): Managing EC2 instances involves more overhead than using AWS Batch.

AWS References:

AWS Batch

AWS Step Functions

To run RDS instances only during business hours with the least operational overhead, you can useAmazon EventBridgeto schedule events that invokeAWS Lambda functions. The Lambda functions can be configured to start and stop the RDS instances based on the specified schedule (business hours). EventBridge rules allow you to define recurring events easily, and Lambda functions provide a serverless way to manage RDS instance start and stop operations, reducing administrative overhead.

Option A: While CloudWatch alarms could be used, they are more suited for monitoring, and using Lambda with EventBridge is simpler.

Option B (Trusted Advisor): Trusted Advisor is not ideal for scheduling tasks.

Option C (Systems Manager): Systems Manager could also work, but EventBridge and Lambda offer a more streamlined and lower-overhead solution.

AWS References:

Amazon EventBridge Scheduler

AWS Lambda

To address the high CPU utilization on the EC2 instance and the degraded performance of Amazon RDS for read requests, the solution involves two key actions: resizing the EC2 instance and leveraging Amazon RDS read replicas.

Resizing the EC2 Instance: The first step is to resize the EC2 instance to a type with more CPU capacity to handle the higher computational demands during peak usage times. This helps to alleviate the immediate pressure on the CPU.

Auto Scaling Group with a Size of 1: Although the application can only run on a single EC2 instance due to its monolithic nature, creating an Auto Scaling group with a minimum and maximum size of 1 ensures that the instance is automatically restarted or replaced in case of failure, maintaining high availability.

RDS Read Replica: Configuring an RDS read replica allows the application to offload read requests to a separate instance, thus reducing the load on the primary RDS instance. This improves the performance of read operations, which were previously bottlenecked due to the high CPU usage on the EC2 instance.

Why Not Other Options?:

Option B: Redirecting all traffic to the RDS read replica is not recommended because replicas are meant for read traffic only, not for write operations. This could lead to data consistency issues.

Option C: Increasing the RDS instance type capacity helps, but it doesn’t address the high CPU usage on the EC2 instance, nor does it provide a solution for scaling reads.

Option D: While resizing both the EC2 and RDS instances increases their capacities, it doesn’t address the specific need to offload read traffic from the primary RDS instance.

AWS References:

Amazon RDS Read Replicas- Explains how to create and use read replicas to offload read traffic from the primary database instance.

Resizing Your EC2 Instance- Guidance on resizing EC2 instances to meet workload demands.

AWS Service Catalogallows organizations to centrally manage commonly deployed IT services and offers self-service deployment capabilities to customers. By creatingService Catalog products, the consulting company can package their solutions and tools for easy reuse by customers while maintaining central control over configuration and access. This provides a standardized and automated solution with the least operational overhead for managing and deploying solutions across different customers.

Option A (CloudFormation): CloudFormation templates are useful but don't provide the same level of management and user-friendly self-service capabilities as Service Catalog.

Option C (Systems Manager): Systems Manager is more focused on managing infrastructure and doesn't offer the same self-service capabilities.

Option D (AWS Config): AWS Config is used for tracking resource configurations, not for deploying solutions.

AWS References:

AWS Service Catalog

Option Censures dynamic scaling based on demand using a target tracking scaling policy, optimizing costs.

Option Aresults in over-provisioning, leading to higher costs.

Option Bincreases costs by using larger instances.

Option Dis not feasible as instance store volumes are ephemeral and unsuitable for shared storage like EFS.

An S3 Bucket Key reduces the cost of using AWS KMS for server-side encryption by decreasing the number of requests made to KMS. By enabling S3 Bucket Key, the company can meet its encryption requirements with KMS keys while optimizing costs by reducing the number of KMS API requests.

Key AWS features:

Cost Optimization: S3 Bucket Keys reduce the frequency of KMS calls, optimizing the cost associated with encryption while still using AWS KMS for key management.

Compliance with KMS Encryption: This solution continues to meet the strict encryption requirements of the company by using KMS managed keys.

AWS Documentation: Using an S3 Bucket Key is recommended for organizations looking to optimize encryption costs without compromising security​​.

To achieve high availability for the website, two key actions should be taken:

Amazon RDS for MySQL Multi-AZ: By migrating the database to an RDS for MySQL Multi-AZ deployment, the database becomes highly available. Multi-AZ provides automatic failover from the primary database to a standby replica in another Availability Zone, ensuring database availability even in the case of an AZ failure.

Application Load Balancer and Auto Scaling: Deploying an Application Load Balancer (ALB) in front of the EC2 instances ensures that traffic is evenly distributed across the instances. Configuring an Auto Scaling group to run EC2 instances across multiple Availability Zones ensures that the application remains available even if one instance or one AZ becomes unavailable. This setup enhances fault tolerance and improves reliability.

Why Not Other Options?:

Option A (Internet Gateway per AZ): Internet Gateways are region-wide resources and do not need to be provisioned per Availability Zone. This option does not contribute to high availability.

Option C (DynamoDB + Auto Scaling): DynamoDB would require changes to the application code to switch from MySQL, which is not possible per the question's constraints.

Option D (DataSync): AWS DataSync is used for data transfer and synchronization, not for achieving high availability for a database.

AWS References:

Amazon RDS Multi-AZ Deployments- Explanation of how Multi-AZ deployments work in Amazon RDS.

Application Load Balancing- Details on how to configure and use ALB for distributing traffic across multiple instances.

Amazon Cognitoprovides scalable, serverless authentication, andLambda@Edgeis used for authorization, providing low-latency access control at the edge.Amazon CloudFrontserves the web application globally with reduced latency and ensures secure access for users around the world. This solution minimizes operational overhead while providing scalability and security.

Option B (Directory Service): Directory Service is more suitable for enterprise use cases involving Active Directory, not for web-based applications.

Option C (S3 Transfer Acceleration): S3 Transfer Acceleration helps with file transfers but does not provide authorization features.

Option D (Elastic Beanstalk): Elastic Beanstalk adds unnecessary overhead when CloudFront can handle global delivery efficiently.

AWS References:

Amazon Cognito

Lambda@Edge

Amazon API Gatewayprovides a scalable and reusable solution for interacting with DynamoDB without requiring direct access by developers. By setting up a REST API with a POST methodthat integrates with DynamoDB'sPutItemaction, developers can submit data (such as user ratings) to the DynamoDB table through API Gateway, without having to directly interact with the database. This solution is serverless and minimizes operational overhead.

Option A: Using ALB with Lambda adds complexity and is less efficient for this use case.

Option B: While using Lambda is possible, API Gateway provides a more scalable, reusable interface.

Option C: SQS with Lambda introduces unnecessary components for a simple put operation.

AWS References:

Amazon API Gateway with DynamoDB

This solution addresses the scalability needs of the workload while preventing failed processing attempts due to resource constraints.

Amazon S3 event notificationscan be used to trigger a message to an SQS queue whenever a new video is uploaded.

The existing Auto Scaling group of EC2 instances can poll the SQS queue, ensuring that the EC2 instances only process videos when there is a job in the queue.

SQS decouplesthe video upload and processing steps, allowing the system to handle sudden spikes in video uploads without overloading EC2 instances.

The use ofAuto Scalingensures that the EC2 instances can scale in or out based on the demand, maintaining cost efficiency while avoiding processing failures due to insufficient resources.

AWS References:

S3 Event Notificationsdetails how to configure notifications for S3 events.

Amazon SQSis a fully managed message queuing service that decouples components of the system.

Auto Scaling EC2explains how to manage automatic scaling of EC2 instances based on demand.

Why the other options are incorrect:

A. AWS Lambda functions: While Lambda can handle some workloads, video processing is often resource-intensive and long-running, making EC2 a more suitable solution.

B. Using SNS with Lambda: Similar to A, Lambda is not ideal for large-scale video processing due to its time and memory limitations.

D. AWS Step Functions: While a valid orchestration solution, this introduces more complexity and overhead compared to the simpler SQS-based solution.

The question focuses on minimizing costs while serving static content to users in the US and Europe.

Option Auses a single S3 bucket and configures CloudFront to limit edge locations, reducing costs by using fewer edge locations while still improving performance.

Option Bmaximizes edge locations, which increases costs unnecessarily.

Options C and Dinvolve storing data in multiple regions, which increases storage and operational costs.Thus, Option A is the most cost-effective solution.

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

AWS Backup is the most appropriate solution for managing backups with minimal operational overhead while meeting the regulatory requirement to retain data for 90 days and enabling point-in-time restore for up to 14 days.

AWS Backup: AWS Backup provides a centralized backup management solution that supports automated backup scheduling, retention management, and compliance reporting across AWS services, including Amazon RDS. By creating a backup plan, you can define a retention period (in this case, 90 days) and automate the backup process.

Point-in-Time Restore (PITR): Amazon RDS supports point-in-time restore for up to 35 days with automated backups. By using AWS Backup in conjunction with RDS, you ensure that your backup strategy meets the requirement for restoring data to a specific point in time within the last 14 days.

Why Not Other Options?:

Option A (RDS Automated Backups): While RDS automated backups support PITR, they do not directly support retention beyond 35 days without manual intervention.

Option B (Manual Snapshots): Manually creating and managing snapshots is operationally intensive and less automated compared to AWS Backup.

Option C (Aurora Clones): Aurora Clone is a feature specific to Amazon Aurora and is not applicable to Amazon RDS for Oracle.

AWS References:

AWS Backup- Overview of AWS Backup and its capabilities.

Amazon RDS Automated Backups- Information on how RDS automated backups work and their limitations.

AWS Site-to-Site VPN: This provides a secure and encrypted connection between an on-premises environment and AWS. It is a cost-effective solution suitable for low bandwidth and small traffic needs.

Quick Setup:

Site-to-Site VPN can be quickly set up by configuring a virtual private gateway on the AWS side and a customer gateway on the on-premises side.

It uses standard IPsec protocol to establish the VPN tunnel.

Cost-Effectiveness: Compared to AWS Direct Connect, which requires dedicated physical connections and higher setup costs, a Site-to-Site VPN is less expensive and easier to implement for smaller traffic requirements.

To meet the requirement of deleting objects older than 3 years while retaining certain data, this solution leverages serverless technologies to minimize operational overhead.

S3 Inventory: S3 Inventory provides a flat file that lists all the objects in an S3 bucket and their metadata, which can be configured to include data such as the last modified date. This inventory can be generated daily or weekly.

AWS Lambda Function: A Lambda function can be created to process the S3 Inventory report, filtering out the objects that need to be retained and identifying those that should be deleted.

S3 Batch Operations: S3 Batch Operations can execute tasks such as object deletion at scale. By invoking the Lambda function through S3 Batch Operations, you can automate the process of deleting the identified objects, ensuring that the solution is serverless and requires minimal operational management.

Why Not Other Options?:

Option A (AWS CLI script on EC2): Running a script on an EC2 instance adds unnecessary operational overhead and is not serverless.

Option B (AWS Batch): AWS Batch is designed for running large-scale batch computing workloads, which is overkill for this scenario.

Option C (AWS Glue + script): AWS Glue is more suited for ETL tasks, and this approach would add unnecessary complexity compared to the serverless Lambda solution.

AWS References:

Amazon S3 Inventory- Information on how to set up and use S3 Inventory.

S3 Batch Operations- Documentation on how to perform bulk operations on S3 objects using S3 Batch Operations.

This solution allows for secure and least-privilege access with minimal operational overhead.

IAM Identity Center: AWS IAM Identity Center (formerly AWS SSO) enables you to centrally manage access to multiple AWS accounts and applications. By using IAM Identity Center, you can assign permission sets that define what users or groups can access, ensuring that only necessary permissions are granted.

Permission Sets: Permission sets in IAM Identity Center allow you to define granular access controls for specific services, such as Amazon RDS and S3. You can tailor these permissions to meet the needs of different teams, adhering to the principle of least privilege.

Group Management: By assigning users to groups and associating those groups with specific permission sets, you reduce the complexity and overhead of managing individual IAM roles and policies. This method also simplifies compliance and audit processes.

Why Not Other Options?:

Option A (IAM roles): While IAM roles can provide least-privilege access, managing multiple roles and policies across teams increases operational overhead compared to using IAM Identity Center.

Option C (Individual IAM users): Managing individual IAM users and roles can be cumbersome and does not scale well compared to group-based management in IAM Identity Center.

Option D (AWS Organizations with cross-account roles): Creating separate accounts and cross-account roles adds unnecessary complexity and overhead for this use case, where IAM Identity Center provides a more straightforward solution.

AWS References:

AWS IAM Identity Center- Overview and best practices for using IAM Identity Center.

Managing Access Permissions Using IAM Identity Center- Guide on creating and managing permission sets for secure access.

To ensure high availability and scalability, the web application should run in anAuto Scaling groupacross two Availability Zones behind anApplication Load Balancer (ALB). The database should be migrated toAmazon RDSwithMulti-AZ deployment, which ensures fault tolerance and automatic failover in case of an AZ failure. This setup minimizes administrative overhead while meeting the company's requirements for high availability and scalability.

Option A: Read replicas are typically used for scaling read operations, and Multi-AZ provides better availability for a transactional database.

Option B: Replicating across AWS Regions adds unnecessary complexity for a single web application.

Option D: EC2 instances across three Availability Zones add unnecessary complexity for this scenario.

AWS References:

Auto Scaling Groups

Amazon RDS Multi-AZ

This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.

AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS.

Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.

Why Not Other Options?:

Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.

Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.

Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption.

AWS References:

AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.

Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.

AmazonTextractcan extract text from the PDFs, andAmazon Comprehendis the most suitable service to analyze the extracted text for sentiment and insights. Comprehend offers a fully managed, low-operational overhead solution for analyzing text data. The results can then be stored in anAmazon S3bucket, ensuring scalability and easy access.

Option A: Athena is for querying structured data and is not suitable for sentiment analysis.

Option B: SageMaker adds complexity and is not necessary when Comprehend can handle sentiment analysis natively.

Option D: QuickSight is used for visualization and analytics, but it does not provide sentiment analysis.

AWS References:

Amazon Comprehend

Amazon Textract

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

To process each form exactly once and ensure no data is lost, using an Amazon SQS FIFO (First-In-First-Out) queue is the most appropriate solution. SQS FIFO queues guarantee that messages are processed in the exact order they are sent and ensure that each message is processed exactly once. This ensures data consistency and reliability, both of which are crucial for processing user-submitted forms without data loss.

SQS acts as a buffer between the web application server and the worker tier, ensuring that submitted forms are stored reliably and forwarded to the worker tier for processing. This also decouples the application, improving its scalability and resilience.

Option B (API Gateway): API Gateway is better suited for API management rather than acting as a message queue for form processing.

Option C (SQS Standard Queue): While SQS Standard queues offer high throughput, they do not guarantee exactly-once processing or the strict ordering needed for this use case.

Option D (Step Functions): Step Functions are useful for orchestrating workflows but add unnecessary complexity for simple message queuing and form processing.

AWS References:

Amazon SQS FIFO Queues

Decoupling Application Tiers Using Amazon SQS

To meet the requirements for tagging and preventing instance creation or deletion without proper tags, the company can use a combination of AWS Organizations tag policies and service control policies (SCPs).

Tag Policies: These enforce specific tag values across resources. Creating a tag policy with required values (e.g., sensitive, non-sensitive) and attaching it to the appropriate organizational unit (OU) ensures consistency in tagging.

SCPs: SCPs can be used to enforce compliance by preventing instance creation without a tag and preventing tag deletion. These policies control actions at the account level across the organization.

Key AWS features:

Tag Policieshelp standardize tags across accounts, andSCPsenforce governance by restricting actions that violate the policies.

AWS Documentation: AWS best practices recommend using tag policies and SCPs to enforce compliance across multiple accounts within AWS Organizations​.

This solution provides encryption at rest and in transit with the least operational overhead while adhering to the company’s security policies.

Encryption at Rest: Amazon RDS for MySQL can be configured to encrypt data at rest by using AWS Key Management Service (KMS) managed keys. This encryption is applied automatically to all data stored on disk, including backups, read replicas, and snapshots. This solution requires minimal operational overhead because AWS manages the encryption and key management process.

Encryption in Transit: AWS Certificate Manager (ACM) allows you to provision, manage, and deploy SSL/TLS certificates seamlessly. These certificates can be used to encrypt data in transit by configuring the MySQL instance to use SSL/TLS for connections. This setup ensures thatdata is encrypted between the application and the database, protecting it from interception during transmission.

Why Not Other Options?:

Option B (IPsec tunnels): While IPsec tunnels encrypt data in transit, they are more complex to manage and require additional configuration and maintenance, leading to higher operational overhead.

Option C (Third-party application-level encryption): Implementing application-level encryption adds complexity, requires code changes, and increases operational overhead.

Option D (VPN for encryption): A VPN solution for encrypting data in transit is unnecessary and adds additional complexity without providing any benefit over SSL/TLS, which is simpler to implement and manage.

AWS References:

Amazon RDS Encryption- Information on how to configure and use encryption for Amazon RDS.

AWS Certificate Manager (ACM)- Details on using ACM to manage SSL/TLS certificates for securing data in transit.

This solution is the most cost-effective and efficient way to break down costs per application.

Tagging Resources: By tagging all AWS resources with a specific key (e.g., "cost") and a value representing the application's name, you can easily identify and categorize costs associated with each application. This tagging strategy allows for granular tracking of costs within AWS.

Activating Cost Allocation Tags: Once tags are applied to resources, you need to activate cost allocation tags in the AWS Billing and Cost Management console. This ensures that the costs associated with each tag are included in your billing reports and can be used for cost analysis.

AWS Cost Explorer: Cost Explorer is a powerful tool that allows you to visualize, understand, and manage your AWS costs and usage over time. You can filter and group your cost data by the tags you’ve applied to resources, enabling you to easily see the cost breakdown for each application. Cost Explorer also supports generating regular reports, which can be scheduled and emailed to stakeholders.

Why Not Other Options?:

Option A (AWS Budgets): AWS Budgets is more focused on setting cost and usage thresholds and monitoring them, rather than providing detailed cost breakdowns by application.

Option B (Load Cost and Usage Reports into RDS): This approach is less cost-effective and involves more operational overhead, as it requires setting up and maintaining an RDS instance and running SQL queries.

Option D (AWS Billing and Cost Management Console): While you can download bills, this method is more manual and less dynamic compared to using Cost Explorer with activated tags.

AWS References:

AWS Tagging Strategies- Overview of how to use tagging to organize and track AWS resources.

AWS Cost Explorer- Details on how to use Cost Explorer to analyze costs.

The company needs a cloud-based storage solution for frequently accessed data with low latency, while retaining their current on-premises infrastructure for some data storage. AWS Storage Gateway'sVolume Gateway with cached volumesis the most appropriate solution for this scenario.

AWS Storage Gateway - Volume Gateway (Cached Volumes):

Volume Gateway with cached volumesallows you to store frequently accessed data in the AWS Cloud while keeping the most recently accessed data cached locally on-premises. This ensures low-latency access to active data while providing scalability for the rest of the data in the cloud.

The cached volume option stores the primary data in Amazon S3 but caches frequently accessed data locally, ensuring fast access. This configuration is well-suited for applications that require fast access to frequently used data but can tolerate cloud-based storage for the rest.

Since the company is facing limited on-premises storage, cached volumes provide an ideal solution, as they reduce the need for additional on-premises storage infrastructure.

Why Not the Other Options?:

Option A (S3 File Gateway): S3 File Gateway provides a file-based interface (SMB/NFS) for storing data directly in S3. While it is great for file storage, the company’s need for block-level storage with iSCSI targets makes Volume Gateway a better fit.

Option C (Volume Gateway - Stored Volumes): Stored volumes keep all the data on-premises and asynchronously back up to AWS. This would not address the company's storage limitations since they would still need substantial on-premises storage.

Option D (Tape Gateway): Tape Gateway is designed for archiving and backup, not for frequently accessed low-latency data.

AWS References:

AWS Storage Gateway - Volume Gateway

AWS Glue jobs are designed for extract, transform, and load (ETL) operations, which are perfect for transforming clinical trial data. AWS Glue integrates with AWS Key Management Service (KMS), allowing for customer-specific encryption keys, fulfilling the encryption requirement with minimal operational effort. Client-side encryption with AWS KMS ensures that the data is encrypted before it is sent to S3, aligning with the security needs specified in the scenario.

Key aspects:

AWS Glue: This managed ETL service simplifies data transformation, reduces operational overhead, and integrates seamlessly with KMS.

CSE-KMS: Client-side encryption with KMS ensures that the data is encrypted with customer-specific keys before it is processed or stored in S3, offering robust security​​.

Minimal Operational Overhead: Compared to managing an EMR cluster, AWS Glue automates much of the process, making it a lower-effort solution.

AWS Documentation: According to the AWS Well-Architected Framework, encryption with AWS KMS offers strong security controls that meet the needs of industries requiring high levels of confidentiality​​.

A. Kinesis Data Streams:Supports high throughput, strict ordering, multiple consumers, and data retention for 365 days.

B. SNS + SQS FIFO:Can enforce ordering but lacks native support for 500 KB messages and retention requirements.

C. EventBridge:Lacks strict ordering and message size compatibility.

D. SNS + Firehose:Not designed for strict ordering or large message sizes.

Gateway Endpoint for Amazon S3: A VPC endpoint for Amazon S3 allows you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Provisioning the Endpoint:

Navigate to the VPC Dashboard.

Select "Endpoints" and create a new endpoint.

Choose the service name for S3 (com.amazonaws.region.s3).

Select the appropriate VPC and subnets.

Adjust the route tables of the subnets to include the new endpoint.

Update Route Tables: Modify the route tables of the subnets to direct traffic destined for S3 to the newly created endpoint. This ensures that traffic to S3 does not go through the NAT instance, avoiding the saturated network and eliminating timeouts.

Operational Efficiency: This solution minimizes operational overhead by removing dependency on the NAT instance and avoiding internet traffic, leading to more stable and secure S3 interactions.

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

Amazon Aurora MySQL supports the SELECT INTO OUTFILE S3 SQL syntax to export query results directly to Amazon S3. This is an efficient and low-overhead method for archiving data.

Once data is in S3, Lifecycle rules can be configured to automatically transition older data to lower-cost storage classes (such as S3 Glacier) or delete it after a defined period, providing a cost-optimized and automated archive solution.

The Glue-based options involve more services and operational overhead. SCT is intended for database migrations, not for periodic data archival.

Amazon GuardDuty detects cryptocurrency mining and sends findings to Amazon EventBridge. You can use EventBridge to trigger an automated Lambda function to isolate EC2 instances (such as by removing security group access or stopping/isolating the instance).

AWS Documentation Extract:

"Amazon GuardDuty findings can be sent to Amazon EventBridge, which enables you to trigger an automated response using AWS Lambda."

(Source: AWS GuardDuty documentation)

B, C, D: Security Hub, Inspector, and Config are not directly used for this detection-to-isolation workflow.

Amazon QuickSight includes built-in ML-powered forecasting capabilities, allowing you to create, visualize, and interact with time series forecasts directly within the BI dashboard, with no ML experience or infrastructure management required. This is the lowest management overhead solution.

AWS Documentation Extract:

"Amazon QuickSight provides built-in ML-powered forecasting, allowing business users to forecast future trends with a few clicks and no machine learning expertise required."

(Source: Amazon QuickSight documentation)

A, C, D: Require additional setup, management, or ML knowledge.

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache for DynamoDB that delivers up to a 10x performance improvement—even at millions of requests per second. DAX requires minimal changes to existing applications and offloads the read workload from DynamoDB during report generation.

Reference Extract:

"DAX provides in-memory acceleration for DynamoDB tables, reducing response times from milliseconds to microseconds with minimal application changes."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Performance section.

Amazon CloudFront is a highly cost-effective CDN that caches content like images and videos at edge locations globally. This reduces latency and the load on the origin S3 bucket. It is ideal for static content that is accessed by many users.

Edge-Optimized API: Designed for global users by routing requests through CloudFront's edge locations, reducing latency.

Content Encoding: Enabling content encoding compresses data, further optimizing performance by decreasing payload size.

Caching: Adding API Gateway caching reduces the number of calls to Lambda and database backends, improving latency.

Reserved Concurrency: Although useful, this does not directly affect latency for transferring static and dynamic content.

AWS API Gateway Edge-Optimized APIs Documentation

To protect against a Regional failure, the application must be deployed in multiple Regions. Amazon Route 53 DNS failover with health checks allows traffic to be automatically routed to a healthy Region when the primary becomes unavailable, meeting high availability and disaster recovery requirements.

When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type "external" or "imported"), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.

You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.

AWS Documentation Extract:

"To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy."

(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)

Other options:

A: You cannot create a new KMS key with the same key ID as an existing one.

B: Deleting and recreating the key disrupts application access because the key ID changes.

D: Automatic rotation is only available for AWS-managed keys, not for imported key material.

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.

AWS Step Functions provides a low-code, fully managed workflow service with a visual interface to orchestrate AWS Glue jobs in sequence. Step Functions integrates natively with AWS Glue and can be triggered by Amazon EventBridge based on events or schedules.

AWS Documentation Extract:

“AWS Step Functions makes it easy to coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Step Functions provides visual workflows and integrates with AWS Glue for ETL orchestration.”

(Source: AWS Step Functions documentation)

A: Manual scripting and dashboards do not provide a low-code or integrated visual workflow.

C: QuickSight is for BI, not workflow visualization.

D: ECS adds unnecessary complexity.

The first step is to configure a delegated administrator account for IAM Access Analyzer at the organization level. Only after delegating the administrator account can you aggregate Access Analyzer findings from all member accounts into a designated audit account. This must be set up in the AWS Organizations management account.

AWS Documentation Extract:

“You must designate a delegated administrator for IAM Access Analyzer at the organization level. The delegated administrator account aggregates findings from all member accounts.”

(Source: IAM Access Analyzer documentation)

A, C, D: These steps do not establish the organization-wide aggregation required for Access Analyzer.

Why Option B is Correct:

Amazon SQS: Ensures no requests are lost, even during traffic spikes.

API Gateway: Handles dynamic traffic patterns efficiently, integrating with SQS for asynchronous processing.

Lambda: Polls the queue and processes requests in a serverless and scalable manner.

Dead-Letter Queue (DLQ): Ensures failed messages are retried or logged for debugging.

Why Other Options Are Not Ideal:

Option A: Elastic Beanstalk cannot handle queue-based decoupling, making it unsuitable for spiky traffic.

Option C: ALB to Lambda does not provide buffering for traffic spikes, risking request loss.

Option D: SNS is better suited for notifications, not reliable for ensuring message durability.

AWS References:

Amazon SQS:AWS Documentation - SQS

Comprehensive and Detailed Explanation:

To handle increased loads effectively, it's essential to implement Auto Scaling for both frontend and backend tiers:

Frontend Auto Scaling Group: Scaling based on incoming network traffic ensures that the application can handle increased user requests.

Backend Auto Scaling Group: Scaling based on the Amazon SQS queue backlog ensures that the backend can process messages as they arrive, preventing delays.

This approach allows each tier to scale independently based on its specific load, ensuring optimal resource utilization and performance.

Comprehensive and Detailed Explanation:

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of a baseline environment, or landing zone, that includes:

Service Control Policies (SCPs): These are used to manage permissions across AWS Organizations, allowing you to set permission guardrails. SCPs can restrict access to specific AWS services and actions, helping enforce security best practices.

Multi-Factor Authentication (MFA): AWS Control Tower can enforce MFA for the root user across all accounts, enhancing security.

Centralized Governance: It offers centralized logging and monitoring, making it easier to manage and audit multiple AWS accounts.

EMR runtime roles allow fine-grained permissions per job, letting each team access only the services they are authorized to use. This isolates IAM permissions per workload and avoids exposing instance-level credentials through IMDSv2. Runtime roles improve security posture in multi-tenant EMR environments.

Using API Gateway and Lambda enables serverless handling of form submissions with minimal cost and infrastructure. When coupled with Amazon SNS, it allows instant email notifications without running servers, making it ideal for low-traffic workloads.

Amazon Rekognition provides pretrained models that can detect inappropriate or unsafe content (such as nudity or violence) without requiring users to build their own ML models. Using a Lambda function to call Rekognition when new photos are uploaded is a serverless and scalable solution.

Background Jobs with Event Invocation Type:

The Event invocation type is asynchronous, meaning the Lambda function does not send an immediate result to the API Gateway and processes the request in the background. This is ideal for video encoding tasks that take time.

REST API vs. HTTP API:

REST APIs support advanced features like API keys, request validation, and throttling that HTTP APIs do not support fully.

Since the developer needs API keys and request validations, a REST API is the correct choice.

Integration with Lambda:

AWS Lambda integration is seamless with REST APIs, and using the Event invocation ensures asynchronous processing.

Incorrect Options Analysis:

Option A: HTTP API lacks full support for API keys and validation.

Option CandD: RequestResponse invocation type requires immediate responses, unsuitable for background jobs.

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

"With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources."

"LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column."

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.

A: Amazon Macie can scan S3 buckets for sensitive data and identify PII.

C: S3 Object Lock legal hold prevents object deletion until a review is complete, meeting compliance requirements.

E: EventBridge can trigger the Lambda function automatically when Macie detects sensitive data, creating an automated workflow.

AWS Documentation Extract:

"Amazon Macie automatically discovers, classifies, and protects sensitive data in AWS. You can use EventBridge to invoke a Lambda function for post-processing, such as applying Object Lock legal hold to flagged objects."

(Source: AWS Macie and S3 Object Lock documentation)

B, D: Moving to Glacier Deep Archive or applying retention in governance mode is not specific to deletion prevention pending review.

F: MFA Delete adds a security layer but does not automate object retention for flagged PII.

Comprehensive and Detailed Explanation:

To optimize storage costs, migrating data from Amazon EFS to Amazon S3 with the Intelligent-Tiering storage class is a cost-effective solution.

Amazon S3 Intelligent-Tiering: This storage class automatically moves data between frequent, infrequent, and archive access tiers based on access patterns, reducing storage costs without impacting performance.

Cost Savings: By leveraging Intelligent-Tiering, the company can achieve significant cost savings, especially for data with unpredictable access patterns.

Application Update: The application must be updated to interact with Amazon S3 APIs for storing and retrieving files, ensuring seamless integration with the new storage solution.