# TOC
1. 

# Question 1 - 40

## Question 1

A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.com for the resources stored within VPCs.

The company has the following DNS resolution requirements:
- On-premises systems should be able to resolve and connect to cloud.example.com.
- All VPCs should be able to resolve cloud.example.com.
- There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway.

Which architecture should the company use to meet these requirements with the HIGHEST performance?

1. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.
2. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder.
3. Associate the private hosted zone to the shared services VPC. Create a Route 53 outbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the outbound resolver.
4. Associate the private hosted zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Attach the shared services VPC to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

#### Unknown terms
- **Route53 inbound/outbound resolver** \
    Route53 resolver helps resolve DNS queries between on-prem and AWS resources \
    Inbound resolver Endpoints allow DNS queries from to reach on-prem DNS servers from your VPC \
    Outbound resolver Endpoints are vice versa \
    https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
- **shared services VPC** \
    Centralize shared services into a VPC \
    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html
    
- **EC2 conditional forwarder** do not exists \
    conditional forwarder: https://www.linkedin.com/pulse/understanding-essential-dns-settings-forwarders-prabu-ponnan/ \
    https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/decentralized-conditional-forwarders.html

**Answer: 1**

Reference: [Hybrid DNS resolution with Amazon Route 53 Resolver Endpoints](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/hybrid-dns_route53-resolver-endpoint-ra.pdf)

Explanation:

- 2: No such services Amazon EC2 conditional forwarder
- 3: For on-prem to resolve private domain in AWS must point to inbound resolver
- 4: If only attach transit gateway, after resolving domain name AWS resources can not reach on-prem or vice versa


## Question 2

A company is providing weather data over a REST-based API to several customers. The API is hosted by Amazon API Gateway and is integrated with different AWS Lambda functions for each API operation. The company uses Amazon Route 53 for DNS and has created a resource record of weather.example.com. The company stores data for the API in Amazon DynamoDB tables. The company needs a solution that will give the API the ability to fail over to a different AWS Region.
Which solution will meet these requirements?

1. Deploy a new set of Lambda functions in a new Region. Update the API Gateway API to use an edge-optimized API endpoint with Lambda functions from both Regions as targets. Convert the DynamoDB tables to global tables.
2. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a multivalue answer. Add both API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.
3. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a failover record. Enable target health monitoring. Convert the DynamoDB tables to global tables.
4. Deploy a new API Gateway API in a new Region. Change the Lambda functions to global functions. Change the Route 53 DNS record to a multivalue answer. Add both API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.

#### Unknown terms
- **[Edge-optimized API endpoints](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-basic-concept.html#apigateway-definition-edge-optimized-api-endpoint)** \
  Using CloudFront distribution to help client access API Gateway API faster
- **[Failover routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-failover.html)** \
  route traffic to a healthy resource or to a different resource when the first resource is unhealthy

**Answer: 3**

Reference: [Implementing Multi-Region Disaster Recovery Using Event-Driven Architecture](https://aws.amazon.com/blogs/architecture/implementing-multi-region-disaster-recovery-using-event-driven-architecture/)

Explanation:
- 1: Edge-optimized API endpoints helps route traffic to distributed client

- 2 & 4: Multivalue answer routing provide load balancing and route traffic randomly \
  Reference: [Multivalue answer routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-multivalue.html)

- 4: No such global Lambda function only [Lambda@edge](https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html)

## Question 3

A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the Production OU. Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit’s existing AWS account to the organization. Once onboarded, the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company’s policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

1. Remove the organization’s root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company’s standard AWS Config rules and deploy them throughout the organization, including the new account.
2. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are completed.
3. Convert the organization’s root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to the organization’s root that allows AWS Config actions for principals only in the new account.
4. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.

#### Unknown terms:
- [Service Catalog](https://docs.aws.amazon.com/servicecatalog/)
- [Understanding management policy inheritance](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html)

**Answer: 4**

Explanation:
- 1: AWS Service Catalog does not support AWS Config \
    [AWS Service Catalog's Product](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html#what-is_concepts-product)
- 2: The Onboarding OU inhertis the deny SCPs in the root of the organization
- 3: This option will cause additional long-term maintenance, everytime an account in the new unit want to update required services, we have to repeat this action


## Question 4

A company is running a two-tier web-based application in an on-premises data center. The application layer consists of a single server running a stateful application. The application connects to a PostgreSQL database running on a separate server. The application’s user base is expected to grow significantly, so the company is migrating the application and database to AWS. The solution will use Amazon Aurora PostgreSQL, Amazon EC2 Auto Scaling, and Elastic Load Balancing.

Which solution will provide a consistent user experience that will allow the application and database tiers to scale?

1. Enable Aurora Auto Scaling for Aurora Replicas. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.

2. Enable Aurora Auto Scaling for Aurora writers. Use an Application Load Balancer with the round robin routing algorithm and sticky sessions enabled.

3. Enable Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions enabled.

4. Enable Aurora Scaling for Aurora writers. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.

**Answer: 3**

#### Unknown terms:
- [Routing algorithm](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#modify-routing-algorithm)

Explanation:
- 1: Only ALB has routing algorithm
- 2 & 4: Aurora Auto Scaling for Aurora writers does not exist

## Question 5

A company uses a service to collect metadata from applications that the company hosts on premises. Consumer devices such as TVs and internet radios access the applications. Many older devices do not support certain HTTP headers and exhibit errors when these headers are present in responses. The company has configured an on-premises load balancer to remove the unsupported headers from responses sent to older devices, which the company identified by the User-Agent headers.

The company wants to migrate the service to AWS, adopt serverless technologies, and retain the ability to support the older devices. The company has already migrated the applications into a set of AWS Lambda functions.
Which solution will meet these requirements?

1. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a CloudFront function to remove the problematic headers based on the value of the User-Agent header.

2. Create an Amazon API Gateway REST API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Modify the default gateway responses to remove the problematic headers based on the value of the User-Agent header.

3. Create an Amazon API Gateway HTTP API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Create a response mapping template to remove the problematic headers based on the value of the User-Agent. Associate the response data mapping with the HTTP API.

4. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.

**Answer: 1**
> Header manipulation – You can insert, modify, or delete HTTP headers in the request or response. For example, you can add a True-Client-IP header to every request.

[CloudFront Functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html)

Explanation:
- 2 & 3: can not remove response header base on request header
- 4: Lambda@Edge is more suitable for heavy workload. [Reference](https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/)

In [None]:
%%bash

# Shared commands
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_DEFAULT_REGION="us-east-1"
APP_NAME="MetadataService"

lambda_role_name="allow-write-log"
role_arn=$(aws iam create-role \
    --role-name "$lambda_role_name" \
    --assume-role-policy-document "{
        \"Version\": \"2012-10-17\",
        \"Statement\": [
            {
                \"Action\": \"sts:AssumeRole\",
                \"Principal\": {
                    \"Service\": \"lambda.amazonaws.com\"
                },
                \"Effect\": \"Allow\",
                \"Sid\": \"\"
            }
        ]
    }" | jq -r ".Role.Arn")
echo "role_arn=$role_arn"

policy=$(aws iam create-policy \
    --policy-name "lambda-write-log" \
    --policy-document "{
        \"Version\": \"2012-10-17\",
        \"Statement\": [
            {
                \"Action\": [
                    \"logs:CreateLogGroup\",
                    \"logs:CreateLogStream\",
                    \"logs:PutLogEvents\"
                ],
                \"Resource\": \"arn:aws:logs:*:*:*\",
                \"Effect\": \"Allow\"
            }
        ]
    }")
policy_arn=$(echo "$policy" | jq -r ".Policy.Arn")
echo "policy_arn=$policy_arn"

aws iam attach-role-policy \
    --role-name "$lambda_role_name" \
    --policy-arn "$policy_arn" >/dev/null

sleep 5
lambda_arn=$(aws lambda create-function \
    --function-name "$APP_NAME" \
    --runtime "python3.11" \
    --handler "index.lambda_handler" \
    --zip-file "fileb://src/q5/lambda.zip" \
    --role "$role_arn" | jq -r ".FunctionArn")
echo "lambda_arn=$lambda_arn"

In [1]:
%%bash

# Option 1 & 4
vpc=$(aws ec2 create-vpc \
    --cidr-block "10.0.0.0/16")
vpc_id=$(echo "$vpc" | jq -r ".Vpc.VpcId")
echo "vpc_id=$vpc_id"

subnet=$(aws ec2 create-subnet \
    --vpc-id "$vpc_id" \
    --cidr-block "10.0.1.0/24" \
    --availability-zone "${AWS_DEFAULT_REGION}a")
subnet_id=$(echo "$subnet" | jq -r ".Subnet.SubnetId")
echo "subnet_id=$subnet_id"

# alb require 2 subnets from 2 azs
subnet1=$(aws ec2 create-subnet \
    --vpc-id "$vpc_id" \
    --cidr-block "10.0.2.0/24" \
    --availability-zone "${AWS_DEFAULT_REGION}b")
subnet1_id=$(echo "$subnet1" | jq -r ".Subnet.SubnetId")
echo "subnet1_id=$subnet1_id"

# Internet Gateway
igw_id=$(aws ec2 create-internet-gateway | jq -r ".InternetGateway.InternetGatewayId")
echo "igw_id=$igw_id"

aws ec2 attach-internet-gateway \
    --internet-gateway-id "$igw_id" \
    --vpc-id "$vpc_id"

# Route Table
rtb=$(aws ec2 create-route-table \
    --vpc-id "$vpc_id")
rtb_id=$(echo "$rtb" | jq -r ".RouteTable.RouteTableId")
echo "rtb_id=$rtb_id"

aws ec2 create-route \
    --route-table-id "$rtb_id" \
    --destination-cidr-block "0.0.0.0/0" \
    --gateway-id "$igw_id" >/dev/null

aws ec2 associate-route-table \
    --route-table-id "$rtb_id" \
    --subnet-id "$subnet_id" >/dev/null
aws ec2 associate-route-table \
    --route-table-id "$rtb_id" \
    --subnet-id "$subnet1_id" >/dev/null

# Application Load Balancer
lambda_sg=$(aws ec2 create-security-group \
    --group-name alb \
    --description "sg for alb" \
    --vpc-id "$vpc_id")
lambda_sg_id=$(echo "$lambda_sg" | jq -r ".GroupId")
echo "lambda_sg_id=$lambda_sg_id"

aws ec2 authorize-security-group-ingress \
    --group-id "$lambda_sg_id" \
    --protocol tcp \
    --port 80 \
    --cidr "0.0.0.0/0" >/dev/null

alb=$(aws elbv2 create-load-balancer \
  --name "$APP_NAME" \
  --subnets "$subnet_id" "$subnet1_id" \
  --security-groups "$lambda_sg_id")
alb_arn=$(echo "$alb" | jq -r ".LoadBalancers[0].LoadBalancerArn")
echo "alb_arn=$alb_arn"
alb_dns=$(echo "$alb" | jq -r ".LoadBalancers[0].DNSName")
echo "alb_dns=$alb_dns"

lambda_target_group_arn=$(aws elbv2 create-target-group \
    --name "lambda-target-group" \
    --target-type "lambda" | jq -r ".TargetGroups[0].TargetGroupArn")
echo "lambda_target_group_arn=$lambda_target_group_arn"

aws lambda add-permission \
    --function-name "$APP_NAME" \
    --statement-id "AllowExecutionFromLB" \
    --action "lambda:InvokeFunction" \
    --principal "elasticloadbalancing.amazonaws.com" \
    --source-arn "$lambda_target_group_arn" >/dev/null

aws elbv2 register-targets \
    --target-group-arn "$lambda_target_group_arn" \
    --targets "Id=$lambda_arn" >/dev/null

aws elbv2 create-listener \
  --load-balancer-arn "$alb_arn" \
  --protocol HTTP \
  --port 80 \
  --default-actions "Type=forward,TargetGroupArn=$lambda_target_group_arn" >/dev/null

# CloudFront
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
CF_FUNC_NAME="remove-headers"
cf_func=$(aws cloudfront create-function \
    --name "$CF_FUNC_NAME" \
    --function-config "{
            \"Comment\":\"Function to remove the problematic headers based on the value of the User-Agent header\",
            \"Runtime\":\"cloudfront-js-1.0\"
        }" \
    --function-code "fileb://src/q5/cf-func.js")

cf_func_etag=$(echo "$cf_func" | jq -r ".ETag")
echo "cf_func_etag=$cf_func_etag"

cf_func_arn=$(echo "$cf_func" | jq -r ".FunctionSummary.FunctionMetadata.FunctionARN")
echo "cf_func_arn=$cf_func_arn"

aws cloudfront publish-function \
    --name "$CF_FUNC_NAME" \
    --if-match "$cf_func_etag" >/dev/null

cfd_domain_name=$(aws cloudfront create-distribution --distribution-config "{
        \"CallerReference\":\"${APP_NAME}\",
        \"DefaultRootObject\":\"\",
        \"Origins\":{
            \"Quantity\":1,
            \"Items\":[{
                \"Id\":\"Metadata-Service\",
                \"DomainName\":\"${alb_dns}\",
                \"CustomOriginConfig\":{
                    \"HTTPPort\":80,
                    \"HTTPSPort\":443,
                    \"OriginProtocolPolicy\":\"http-only\",
                    \"OriginSslProtocols\":{
                        \"Quantity\":1,
                        \"Items\":[\"TLSv1.2\"]
                    }
                },
                \"CustomHeaders\":{
                    \"Quantity\":1,
                    \"Items\":[{
                        \"HeaderName\":\"X-From-Where\",
                        \"HeaderValue\":\"from-cloudfront\"
                    }]
                }
            }]
        },
        \"DefaultCacheBehavior\":{
            \"TargetOriginId\":\"Metadata-Service\",
            \"ViewerProtocolPolicy\":\"redirect-to-https\",
            \"MinTTL\": 0,
            \"MaxTTL\": 0,
            \"DefaultTTL\": 0,
            
            \"ForwardedValues\":{
                \"QueryString\":true,
                \"Cookies\":{
                    \"Forward\":\"all\"
                }
            },
           \"FunctionAssociations\":{
                \"Quantity\":1,
                \"Items\":[{
                    \"FunctionARN\": \"${cf_func_arn}\",
                    \"EventType\": \"viewer-response\"
                }]
           }
        },
        \"Comment\":\"${APP_NAME}\",
        \"Enabled\":true
    }" | jq -r ".Distribution.DomainName")
echo "$cfd_domain_name"


An error occurred (AccessDenied) when calling the RegisterTargets operation: elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-west-2:721318668125:function:MetadataService from target group arn:aws:elasticloadbalancing:us-west-2:721318668125:targetgroup/lambda-target-group/e9854e7a1b340986


In [None]:
%%bash

# Option 2 & 3
# Create or update the API
apigw=$(aws apigatewayv2 create-api \
    --name "$APP_NAME" \
    --protocol-type HTTP)
apigw_id=$(echo "$apigw" | jq -r ".ApiId")
echo "apigw_id=$apigw_id"
apigw_endpoint=$(echo "$apigw" | jq -r ".ApiEndpoint")
echo "apigw_endpoint=$apigw_endpoint"

integration_id=$(aws apigatewayv2 create-integration \
    --api-id "$apigw_id" \
    --integration-type AWS_PROXY \
    --integration-method GET \
    --integration-uri "$lambda_arn" \
    --payload-format-version 2.0 \
    --response-parameters "{
        \"200\": {
            \"remove:header.Content-Type\": \"''\"
        }
    }" | jq -r ".IntegrationId")

default_route_id=$(aws apigatewayv2 create-route \
    --api-id "$apigw_id" \
    --route-key "\$default" \
    --target "integrations/$integration_id")
echo "default_route_id=$default_route_id"

# Deploy the API to apply the changes
STAGE_NAME="deploy-lambda"
aws apigatewayv2 create-stage \
    --api-id "$apigw_id" \
    --stage-name "$STAGE_NAME" \
    --stage-variables "deployment=${STAGE_NAME}" > /dev/null

api_deployment_id=$(aws apigatewayv2 create-deployment \
    --api-id "$apigw_id" \
    --stage-name "$STAGE_NAME" | jq -r ".DeploymentId")
echo "api_deployment_id=$api_deployment_id"

account_id=$(aws sts get-caller-identity | jq -r ".Account")
echo "account_id=$account_id"

aws lambda add-permission \
  --function-name "$lambda_arn" \
  --statement-id "AllowExecutionFromAPIGW" \
  --action "lambda:InvokeFunction" \
  --principal "apigateway.amazonaws.com" \
  --source-arn "arn:aws:execute-api:${AWS_DEFAULT_REGION}:${account_id}:${apigw_id}/*" > /dev/null


## Question 6

A retail company needs to provide a series of data files to another company, which is its business partner. These files are saved in an Amazon S3 bucket under Account A, which belongs to the retail company. The business partner company wants one of its IAM users, User_DataProcessor, to access the files from its own AWS account (Account B).

Which combination of steps must the companies take so that User_DataProcessor can access the S3 bucket successfully? (Choose two.)

1. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A.

2. In Account A, set the S3 bucket policy to the following:
```json
{
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::AccountABucketName/*"
}
```
3. In Account A, set the S3 bucket policy to the following:
```json
{
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::AccountB:user/User_DataProcessor"
    },
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::AccountABucketName/*"
    ]
}
```

4. In Account B, set the permissions of User_DataProcessor to the following:
```json
{
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::AccountABucketName/*"
}
```

5. In Account B, set the permissions of User_DataProcessor to the following:
```json
{
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::AccountB:user/User_DataProcessor"
    },
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::AccountABucketName/*"
    ]
}
```

**Answer: 3 & 4**

[Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html)

Explanation:

1\. 
> Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. \
[Using cross-origin resource sharing (CORS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html)

2\.
> You must use the Principal element in resource-based policies \
[AWS JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)

5\.
> You cannot use the Principal element in an identity-based policy. Identity-based policies are permissions policies that you attach to IAM identities (users, groups, or roles). In those cases, the principal is implicitly the identity where the policy is attached. \
[AWS JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts)

## Question 7

A company is running a traditional web application on Amazon EC2 instances. The company needs to refactor the application as microservices that run on containers. Separate versions of the application exist in two distinct environments: production and testing. Load for the application is variable, but the minimum load and the maximum load are known. A solutions architect needs to design the updated application with a serverless architecture that minimizes operational complexity.

Which solution will meet these requirements MOST cost-effectively?

1. Upload the container images to AWS Lambda as functions. Configure a concurrency limit for the associated Lambda functions to handle the expected peak load. Configure two separate Lambda integrations within Amazon API Gateway: one for production and one for testing.

2. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Container Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the ECS clusters.

3. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Kubernetes Service (Amazon EKS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the EKS clusters.

4. Upload the container images to AWS Elastic Beanstalk. In Elastic Beanstalk, create separate environments and deployments for production and testing. Configure two separate Application Load Balancers to direct traffic to the Elastic Beanstalk deployments.

**Answer: 2**

Explanation:
- 1: Managing multiple Lambda functions, their integrations through API Gateway and limitation on runtime can introduce complexity. In addition, we can only [create lambda from image](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html) uploaded to ECR in the same region
> To create a Lambda function from a container image, build your image locally and upload it to an Amazon Elastic Container Registry (Amazon ECR) repository. Then, specify the repository URI when you create the function. The Amazon ECR repository must be in the same AWS Region as the Lambda function
- 3: Managing and scaling EKS cluster requires more operational effort. [EKS Fargate considerations](https://docs.aws.amazon.com/eks/latest/userguide/fargate.html#fargate-considerations)
- 4: Elastic Beanstalk is not [serverless](https://aws.amazon.com/serverless/)

## Question 8

A company has a multi-tier web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB and the Auto Scaling group are replicated in a backup AWS Region. The minimum value and the maximum value for the Auto Scaling group are set to zero. An Amazon RDS Multi-AZ DB instance stores the application’s data. The DB instance has a read replica in the backup Region. The application presents an endpoint to end users by using an Amazon Route 53 record.

The company needs to reduce its RTO to less than 15 minutes by giving the application the ability to automatically fail over to the backup Region. The company does not have a large enough budget for an active-active strategy.
What should a solutions architect recommend to meet these requirements?

1. Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.

2. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Configure Route 53 with a health check that monitors the web application and sends an Amazon Simple Notification Service (Amazon SNS) notification to the Lambda function when the health check status is unhealthy. Update the application’s Route 53 record with a failover policy that routes traffic to the ALB in the backup Region when a health check failure occurs.

3. Configure the Auto Scaling group in the backup Region to have the same values as the Auto Scaling group in the primary Region. Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Remove the read replica. Replace the read replica with a standalone RDS DB instance. Configure Cross-Region Replication between the RDS DB instances by using snapshots and Amazon S3.

4. Configure an endpoint in AWS Global Accelerator with the two ALBs as equal weighted targets. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.

**Answer: 2**

use [active-passive](https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html) recovery strategies for lower budget

Explanation:
- 1 & 3: The [latency-based routing policy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-latency.html) is for improving performance

> If your application is hosted in multiple AWS Regions, you can improve performance for your users by serving their requests from the AWS Region that provides the lowest latency. 

- 4: [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html) is used for  improve availability and performance for internet applications used by a global audience but not for active-passive strategies

## Question 9

A company is hosting a critical application on a single Amazon EC2 instance. The application uses an Amazon ElastiCache for Redis single-node cluster for an in-memory data store. The application uses an Amazon RDS for MariaDB DB instance for a relational database. For the application to function, each piece of the infrastructure must be healthy and must be in an active state.

A solutions architect needs to improve the application's architecture so that the infrastructure can automatically recover from failure with the least possible downtime.

Which combination of steps will meet these requirements? (Choose three.)

1. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are part of an Auto Scaling group that has a minimum capacity of two instances.

2. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are configured in unlimited mode.

3. Modify the DB instance to create a read replica in the same Availability Zone. Promote the read replica to be the primary DB instance in failure scenarios.

4. Modify the DB instance to create a Multi-AZ deployment that extends across two Availability Zones.

5. Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum capacity of two instances.

6. Create a replication group for the ElastiCache for Redis cluster. Enable Multi-AZ on the cluster.

**Answer: 1, 4, 6**

Explanation:
- 2: [EC2 instances's unlimited mode](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode.html) is used for increasing performance
- 3 & 5: only [RDS Multi-AZ deployment](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html) and [ElastiCache with Multi-AZ](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html) support failover

## Question 10

A retail company is operating its ecommerce application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses an Amazon RDS DB instance as the database backend. Amazon CloudFront is configured with one origin that points to the ALB. Static content is cached. Amazon Route 53 is used to host all public zones.

After an update of the application, the ALB occasionally returns a 502 status code (Bad Gateway) error. The root cause is malformed HTTP headers that are returned to the ALB. The webpage returns successfully when a solutions architect reloads the webpage immediately after the error occurs.

While the company is working on the problem, the solutions architect needs to provide a custom error page instead of the standard ALB error page to visitors.

Which combination of steps will meet this requirement with the LEAST amount of operational overhead? (Choose two.)

1. Create an Amazon S3 bucket. Configure the S3 bucket to host a static webpage. Upload the custom error pages to Amazon S3.
2. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Target.FailedHealthChecks is greater than 0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a publicly accessible web server.
3. Modify the existing Amazon Route 53 records by adding health checks. Configure a fallback target if the health check fails. Modify DNS records to point to a publicly accessible webpage.
4. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Elb.InternalError is greater than 0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a public accessible web server.
5. Add a custom error response by configuring a CloudFront custom error page. Modify DNS records to point to a publicly accessible web page.

**Answer: 1, 5**

[Configuring error response behavior](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GeneratingCustomErrorResponses.html#custom-error-pages-procedure)

Explanation:
- 1, 5: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GeneratingCustomErrorResponses.html
- 2, 3, 4: 
    - before health check, client recieve response with status code 502
    - it's an random error, we have to change it back

## Question 11

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts.

The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets.

Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

1. Create a transit gateway in the infrastructure account.
2. Enable resource sharing from the AWS Organizations management account.
3. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
4. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
5. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix list to associate with the resource share.

#### Unknown terms:
- **[Prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/sharing-managed-prefix-lists.html)**

**Answer: 2, 4**

Explanation:
- 1: [Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) only help connect VPCs and on-prem network
> A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.
- 2: 
> To share a prefix list with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations
- 3: can not [peer the VPCs](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html) with the same CIDR
> The accepter VPC can be owned by you, or another AWS account, and cannot have a CIDR block that overlaps with the CIDR block of the requester VPC.
- 5: it will require more operational overhead than option 4

## Question 12

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third-party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company’s VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?

1. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
2. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
3. Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.
4. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.

**Answer: 1**

Explanation:
- 2: [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) is used to connect your VPC and on-prem network
- 3: AWS PrivateLink is more suitable for conforming to the principles of least privilege than VPC peering in this client/server model
>AWS PrivateLink — Use AWS PrivateLink when you have a client/server set up where you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Only the clients in the consumer VPC can initiate a connection to the service in the service provider VPC. This is also a good option when client and servers in the two VPCs have overlapping IP addresses as AWS PrivateLink uses ENIs within the client VPC in a manner that ensures that are no IP conflicts with the service provider. You can access AWS PrivateLink endpoints over VPC Peering, VPN, and AWS Direct Connect. [Reference](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html)
- 4: SaaS provider should be the one who create endpoint service and allow connect from our interface VPC endpoint

## Question 13

A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to perform patching. Management requires a single report showing the patch status of all the servers and instances.
Which set of actions should a solutions architect take to meet these requirements?

1. Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch compliance reports.
2. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use Amazon QuickSight integration with OpsWorks to generate patch compliance reports.
3. Use an Amazon EventBridge rule to apply patches by scheduling an AWS Systems Manager patch remediation job. Use Amazon Inspector to generate patch compliance reports.
4. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use AWS X-Ray to post the patch status to AWS Systems Manager OpsCenter to generate patch compliance reports.

**Answer: 1**

Explanation:
- 2: [Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/welcome.html) is a BI service helps deliver insights and create dashboard from its
- 3: [Amazon Inspector](https://docs.aws.amazon.com/managedservices/latest/userguide/inspector.html) is used for security assessment
- 4: [AWS X-Ray](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html) collect data from request to identify issues for distributed systems

## Question 14

A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances.

Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?

1. Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to copy the log files, and terminate the instance using the AWS SDK.
2. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.
3. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user data. Create an Amazon EventBridge rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
4. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate the instance.

**Answer: 2**

Explanation:
- 1: can not run script to copy the log files when sending [ABANDON to ASG](https://docs.aws.amazon.com/autoscaling/ec2/userguide/adding-lifecycle-hooks.html)
> If you choose ABANDON, the Auto Scaling group terminates the instance immediately.
- 3: EC2 user data is suitable for running script (to install package & config server) when launching instances. [Reference](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html)
- 4: SNS can not directly call API SendCommand from Systems Manager

## Question 15

A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The company’s applications and databases are running in Account B.
A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The solutions architect confirmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)

1. Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance’s private IP in the private hosted zone.
2. Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
3. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.
4. Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
5. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.

**Answer: 3, 5**

Explanation: these steps are included in [Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html)

## Question 16

A company used Amazon EC2 instances to deploy a web fleet to host a blog site. The EC2 instances are behind an Application Load Balancer (ALB) and are configured in an Auto Scaling group. The web application stores all blog content on an Amazon EFS volume.
The company recently added a feature for bloggers to add video to their posts, attracting 10 times the previous user traffic. At peak times of day, users report buffering and timeout issues while attempting to reach the site or watch videos.
Which is the MOST cost-efficient and scalable deployment that will resolve the issues for users?

1. Reconfigure Amazon EFS to enable maximum I/O.
2. Update the blog site to use instance store volumes for storage. Copy the site contents to the volumes at launch and to Amazon S3 at shutdown.
3. Configure an Amazon CloudFront distribution. Point the distribution to an S3 bucket, and migrate the videos from EFS to Amazon S3.
4. Set up an Amazon CloudFront distribution for all site contents, and point the distribution at the ALB.

#### Unknown terms:
- [EFS maximum I/O mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes)

**Answer: 3**

Explanation:

1. Max I/O mode helps deliver content to instance faster but not from instance to end user

2. Data will be inconsistent because the instance store can only be attached to an instance at launch

> Instance store volumes can be attached to an instance only when you launch it. You can't attach instance store volumes to an instance after you've launched it. [Add instance store volumes to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/add-instance-store-volumes.html)

4. EFS is not as cost-effective as S3. [EFS pricing](https://aws.amazon.com/efs/pricing/) vs [S3 pricing](https://aws.amazon.com/s3/pricing/)

## Question 17

A company with global offices has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company’s on-premises network uses the connection to communicate with the company’s resources in the AWS Cloud. The connection has a single private virtual interface that connects to a single VPC.

A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. The solution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.

Which solution meets these requirements?

1. Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.
2. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new private virtual interface on the new connection, and connect the new private virtual interface to the single VPC.
3. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new public virtual interface on the new connection, and connect the new public virtual interface to the single VPC.
4. Provision a transit gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the transit gateway. Associate the transit gateway with the single VPC.

#### Unknown terms:
- [Direct Connect connections](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithConnections.html): connections between our netwrok and AWS Direct Connect loctions
- [Direct Connect virtual inteface - VIF](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html)
    - Private virtual interface
    - Public virtual interface
    - Transit virtual interface
- [Virtual interface gateway](https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#VPNGateway): gateway attach to VPC for Site-to-Site VPN and private VIF connections
- [Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html): 

**Answer: 1**

Explanation: 
- Reduntdant AWS Direct Connect is mentioned in [AWS Direct Connect Whitepaper](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html)
- A Direct Connect gateway allow us to connect to other Regions using [Virtual private gateway association](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html#virtual-private-gateway)
- We can not *expands into other Regions* using Option 3 because private VIF is used to access an VPC
- Connecting to a Transit Gateway requires a transit VIF rather than private VIF

## Question 18

A company has a web application that allows users to upload short videos. The videos are stored on Amazon EBS volumes and analyzed by custom recognition software for categorization.

The website contains static content that has variable traffic with peaks in certain months. The architecture consists of Amazon EC2 instances running in an Auto Scaling group for the web application and EC2 instances running in an Auto Scaling group to process an Amazon SQS queue. The company wants to re-architect the application to reduce operational overhead using AWS managed services where possible and remove dependencies on third-party software.

Which solution meets these requirements?

1. Use Amazon ECS containers for the web application and Spot instances for the Auto Scaling group that processes the SQS queue. Replace the custom software with Amazon Rekognition to categorize the videos.
2. Store the uploaded videos in Amazon EFS and mount the file system to the EC2 instances for the web application. Process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.
3. Host the web application in Amazon S3. Store the uploaded videos in Amazon S3. Use S3 event notification to publish events to the SQS queue. Process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.
4. Use AWS Elastic Beanstalk to launch EC2 instances in an Auto Scaling group for the web application and launch a worker environment to process the SQS queue. Replace the custom software with Amazon Rekognition to categorize the videos.

**Answer: 3**

Explanation: Because option 3 is the only one using S3 which is [scalable and high availability](https://docs.aws.amazon.com/whitepapers/latest/build-static-websites-aws/use-amazon-s3-website-hosting-to-host-without-a-single-web-server.html#scalability-and-availability) for static content web

## Question 19

A company has a serverless application comprised of Amazon CloudFront, Amazon API Gateway, and AWS Lambda functions. The current deployment process of the application code is to create a new version number of the Lambda function and run an AWS CLI script to update. If the new function version has errors, another CLI script reverts by deploying the previous working version of the function. The company would like to decrease the time to deploy new versions of the application logic provided by the Lambda functions, and also reduce the time to detect and revert when errors are identified.

How can this be accomplished?

1. Create and deploy nested AWS CloudFormation stacks with the parent stack consisting of the AWS CloudFront distribution and API Gateway, and the child stack containing the Lambda function. For changes to Lambda, create an AWS CloudFormation change set and deploy; if errors are triggered, revert the AWS CloudFormation change set to the previous version.
2. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually shift traffic to the new version, and use pre-traffic and post-traffic test functions to verify code. Rollback if Amazon CloudWatch alarms are triggered.
3. Refactor the AWS CLI scripts into a single script that deploys the new Lambda version. When deployment is completed, the script tests execute. If errors are detected, revert to the previous Lambda version.
4. Create and deploy an AWS CloudFormation stack that consists of a new API Gateway endpoint that references the new Lambda version. Change the CloudFront origin to the new API Gateway endpoint, monitor errors and if detected, change the AWS CloudFront origin to the previous API Gateway endpoint.

**Answer: 2**

Explanation:
- 3, 4: the scipt tests might not cover all scenarios unlike [gradually shift traffic to the new version](https://aws.amazon.com/about-aws/whats-new/2017/11/aws-lambda-supports-traffic-shifting-and-phased-deployments-with-aws-codedeploy/)
- 1, 3, 4: revert manually when errors are identified is taking more time than [automate it using CloudWatch](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/automating-updates-to-serverless-apps.html)

## Question 20

A company is planning to store a large number of archived documents and make the documents available to employees through the corporate intranet. Employees will access the system by connecting through a client VPN service that is attached to a VPC. The data must not be accessible to the public.

The documents that the company is storing are copies of data that is held on physical media elsewhere. The number of requests will be low. Availability and speed of retrieval are not concerns of the company.

Which solution will meet these requirements at the LOWEST cost?

1. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class as default. Configure the S3 bucket for website hosting. Create an S3 interface endpoint. Configure the S3 bucket to allow access only through that endpoint.
2. Launch an Amazon EC2 instance that runs a web server. Attach an Amazon Elastic File System (Amazon EFS) file system to store the archived data in the EFS One Zone-Infrequent Access (EFS One Zone-IA) storage class Configure the instance security groups to allow access only from private networks.
3. Launch an Amazon EC2 instance that runs a web server Attach an Amazon Elastic Block Store (Amazon EBS) volume to store the archived data. Use the Cold HDD (sc1) volume type. Configure the instance security groups to allow access only from private networks.
4. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 Glacier Deep Archive storage class as default. Configure the S3 bucket for website hosting. Create an S3 interface endpoint. Configure the S3 bucket to allow access only through that endpoint.

**Answer: 4**

Explanation: Because the company stores a large number of archived documents, number request will be low and do not concerns about availability and speed of retrieval.

> At just $0.00099 per GB-month (or $1 per TB-month), S3 Glacier Deep Archive offers the lowest cost storage in the cloud [Glacier](https://aws.amazon.com/s3/storage-classes/glacier/)

## Question 21

A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company’s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company’s AWS accounts.

The company’s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.

Which solution will meet these requirements?

1. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
2. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using IAM Identity Center permission sets.
3. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
4. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.

#### Unknown terms:
- [IAM Identity Center (AWS Single Sign-On)](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
- [SAML 2.0](https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html): support for applications that allow identity federation
- [OpenID Connect](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)

**Answer: 4**

Explanation: 
- [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
> After you create an IAM OIDC identity provider, you must create one or more IAM roles. A role is an identity in AWS that doesn't have its own credentials (as a user does). But in this context, a role is dynamically assigned to a federated user that is authenticated by your organization's IdP.
- 1,3: SAML 2.0 used for applications identity federation

## Question 22

A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions, and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.

A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API’s reputation.

What should the solutions architect recommend to improve the customer experience?

1. Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
2. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.
3. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is appropriate for the workload.
4. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.

#### Unknown terms:
- [Reserved concurency](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html): is the maximum number of concurrent instances you want to allocate to your function. When a function has reserved concurrency, no other function can use that concurrency. There is no charge for configuring reserved concurrency for a function.
- [Exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff): is an algorithm to find wait time between retries

**Answer: 2**

Explanation:
- [Throttle API requests for better throughput](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html)
- 1: implement retry logic which will add more request to the api
- 3: API caching imporove API by serving repeated request but this option does not handle errors
- 4: allocate more instance does not prevent a client that making a lot of request

## Question 23

A company is running a data-intensive application on AWS. The application runs on a cluster of hundreds of Amazon EC2 instances. A shared file system also runs on several EC2 instances that store 200 TB of data. The application reads and modifies the data on the shared file system and generates a report. The job runs once monthly, reads a subset of the files from the shared file system, and takes about 72 hours to complete. The compute instances scale in an Auto Scaling group, but the instances that host the shared file system run continuously. The compute and storage instances are all in the same AWS Region.

A solutions architect needs to reduce costs by replacing the shared file system instances. The file system must provide high performance access to the needed data for the duration of the 72-hour run.
Which solution will provide the LARGEST overall cost reduction while meeting these requirements?

1. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Intelligent-Tiering storage class. Before the job runs each month, use Amazon FSx for Lustre to create a new file system with the data from Amazon S3 by using lazy loading. Use the new file system as the shared storage for the duration of the job. Delete the file system when the job is complete.
2. Migrate the data from the existing shared file system to a large Amazon Elastic Block Store (Amazon EBS) volume with Multi-Attach enabled. Attach the EBS volume to each of the instances by using a user data script in the Auto Scaling group launch template. Use the EBS volume as the shared storage for the duration of the job. Detach the EBS volume when the job is complete
3. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Standard storage class. Before the job runs each month, use Amazon FSx for Lustre to create a new file system with the data from Amazon S3 by using batch loading. Use the new file system as the shared storage for the duration of the job. Delete the file system when the job is complete.
4. Migrate the data from the existing shared file system to an Amazon S3 bucket. Before the job runs each month, use AWS Storage Gateway to create a file gateway with the data from Amazon S3. Use the file gateway as the shared storage for the job. Delete the file gateway when the job is complete.

**Answer: 1**

Explanation:
- 2: EBS cost more than S3
- 3: data is accessed once a month, it will be not cost-effective when using Standard class.
- 4: [AWS Storage Gateway](https://docs.aws.amazon.com/storagegateway/) is for on-prem solutions
> AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and the AWS storage infrastructure in the AWS Cloud.

## Question 24

A company is developing a new service that will be accessed using TCP on a static port. A solutions architect must ensure that the service is highly available, has redundancy across Availability Zones, and is accessible using the DNS name my.service.com, which is publicly accessible. The service must use fixed address assignments so other companies can add the addresses to their allow lists.

Assuming that resources are deployed in multiple Availability Zones in a single Region, which solution will meet these requirements?

1. Create Amazon EC2 instances with an Elastic IP address for each instance. Create a Network Load Balancer (NLB) and expose the static TCP port. Register EC2 instances with the NLB. Create a new name server record set named my.service.com, and assign the Elastic IP addresses of the EC2 instances to the record set. Provide the Elastic IP addresses of the EC2 instances to the other companies to add to their allow lists.
2. Create an Amazon ECS cluster and a service definition for the application. Create and assign public IP addresses for the ECS cluster. Create a Network Load Balancer (NLB) and expose the TCP port. Create a target group and assign the ECS cluster name to the NLB. Create a new A record set named my.service.com, and assign the public IP addresses of the ECS cluster to the record set. Provide the public IP addresses of the ECS cluster to the other companies to add to their allow lists.
3. Create Amazon EC2 instances for the service. Create one Elastic IP address for each Availability Zone. Create a Network Load Balancer (NLB) and expose the assigned TCP port. Assign the Elastic IP addresses to the NLB for each Availability Zone. Create a target group and register the EC2 instances with the NLB. Create a new A (alias) record set named my.service.com, and assign the NLB DNS name to the record set.
4. Create an Amazon ECS cluster and a service definition for the application. Create and assign public IP address for each host in the cluster. Create an Application Load Balancer (ALB) and expose the static TCP port. Create a target group and assign the ECS service definition name to the ALB. Create a new CNAME record set and associate the public IP addresses to the record set. Provide the Elastic IP addresses of the Amazon EC2 instances to the other companies to add to their allow lists.

**Answer: 3**

Explanation:
- 2 & 4: ECS is suitable for container solutions. In additional, public IP addresses do not match the requirement, *the service must use fixed address*.
- 1: every [AWS account only have 5 EIP addresses per Region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-limit), request still have to route through NLB so if we don't [attach EIP to NLB](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#availability-zones) we can not whitelist it
> When you create an internet-facing load balancer, you can optionally specify one Elastic IP address per subnet. If you do not choose one of your own Elastic IP addresses, Elastic Load Balancing provides one Elastic IP address per subnet for you. These Elastic IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You can't change these Elastic IP addresses after you create the load balancer.

## Question 25

A company uses an on-premises data analytics platform. The system is highly available in a fully redundant configuration across 12 servers in the company’s data center.

The system runs scheduled jobs, both hourly and daily, in addition to one-time requests from users. Scheduled jobs can take between 20 minutes and 2 hours to finish running and have tight SLAs. The scheduled jobs account for 65% of the system usage. User jobs typically finish running in less than 5 minutes and have no SLA. The user jobs account for 35% of system usage. During system failures, scheduled jobs must continue to meet SLAs. However, user jobs can be delayed.

A solutions architect needs to move the system to Amazon EC2 instances and adopt a consumption-based model to reduce costs with no long-term commitments. The solution must maintain high availability and must not affect the SLAs.

Which solution will meet these requirements MOST cost-effectively?

1. Split the 12 instances across two Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand Instances with Capacity Reservations. Run four instances in each Availability Zone as Spot Instances.
2. Split the 12 instances across three Availability Zones in the chosen AWS Region. In one of the Availability Zones, run all four instances as On-Demand Instances with Capacity Reservations. Run the remaining instances as Spot Instances.
3. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand Instances with a Savings Plan. Run two instances in each Availability Zone as Spot Instances.
4. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run three instances in each Availability Zone as On-Demand Instances with Capacity Reservations. Run one instance in each Availability Zone as a Spot Instance.

#### Unknown terms:
- [On-Demand Capacity Reservations](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html): reserved the number of instances in a region

**Answer: 4**

Explanation:
- 1: The porpotion for the On-Demand Instances can not satisfy the needed of availability for scheduled jobs
- 2: Place all On-Demand Instances in one AZ does not achieve high availability
- 3: [Saving plan](https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-plans.html) requires 1/3 years commitment
> Savings Plans provide savings beyond On-Demand rates in exchange for a commitment of using a specified amount of compute power (measured per hour) for a one or three year period

## Question 26

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:
- The database must use strong, randomly generated passwords stored in a secure AWS managed service.
- The application resources must be deployed through AWS CloudFormation.
- The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.

Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

1. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
2. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
3. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
4. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

**Answer: 1**

Explanation:
- AWS Secret Manager automates the process of updating credentials without using EventBridge. [Managed rotation for AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_managed.html)

## Question 27

A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.
Which solutions meet these requirements? (Choose two.)

1. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.
2. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.
3. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
4. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.
5. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions.

**Answer: 1, 4**

Explanation:
- 1: [Use API Gateway as a proxy for DynomoDB](https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/)
- 4: not choose 5 because [Network Load Balancers do not support the lambda target type](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type)

## Question 28

A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL for each domain. All domains and target URLs are defined in a JSON document. All DNS records are managed by Amazon Route 53.

A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests.

Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose three.)

1. Create a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with the event message to look up and respond with a redirect URL.
2. Create an Application Load Balancer that includes HTTP and HTTPS listeners.
3. Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL.
4. Use an Amazon API Gateway API with a custom domain to publish an AWS Lambda function.
5. Create an Amazon CloudFront distribution. Deploy a Lambda@Edge function.
6. Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names.

**Answer: 3, 5, 6**

#### Unknown terms:
- [Subject Alternative Name (SAN)](https://en.wikipedia.org/wiki/Subject_Alternative_Name) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.

Explanation:
- *The LEAST amount of operational effort* -> serverless
- 5: [Handling Redirects@Edge](https://aws.amazon.com/es/blogs/networking-and-content-delivery/handling-redirectsedge-part1/)
- 3: To use Lambda@Edge you must create a Lambda function [Tutorial: Creating a simple Lambda@Edge function
](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html)
- 6: ACM can integrate with CloudFront to handle HTTPS request. [Reference](https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html) 

## Question 29

A company that has multiple AWS accounts is using AWS Organizations. The company’s AWS accounts host VPCs, Amazon EC2 instances, and containers.

The company’s compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2 instances and send information to the AWS account that is dedicated for the compliance team. The company has tagged all the compliance-related resources with a key of “costCenter” and a value or “compliance”.

The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the compliance team’s AWS account. The cost calculation must be as accurate as possible.

What should a solutions architect do to meet these requirements?

1. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources.
2. In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total cost for the costCenter tagged resources.
3. In the member accounts of the organization activate the costCenter user-defined tag. From the management account, schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources.
4. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the costCenter tagged resources in the compliance team’s AWS account.

**Answer: 1**

Explanation:
- 2: User-defined tag can be use to calculate cost of using AWS Cost and Usage Reports. Reference: [Using AWS cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html)
- 3: AWS Cost and Usage Reports are typically configured within the individual accounts to ensure granular data. [Reference](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html)
> Each report contains line items for each unique combination of AWS products, usage type, and operation that you use in your AWS account
- 4: [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) helps find and reduce cost
> Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.

## Question 30

A company is planning to store a large number of archived documents and make the documents available to employees through the corporate intranet. Employees will access the system by connecting through a client VPN service A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company wants to use AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.

Which combination of steps will meet these requirements? (Choose two.)

1. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
2. From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP.
3. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.
4. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.
5. From the management account, share the transit gateway with member accounts by using AWS Service Catalog.

**Answer: 1, 3**

#### Unknow terms:
- [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html): predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf
- [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs)

Explanation:
- 2: [AWS Organizations SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html): use to manage permissions in your organization
- 4: [peering transit gateway attatchment](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-peering-scenario.html) is used to connect 2 TGW
- 5: [Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) allows organizations to centrally manage commonly deployed IT services

## Question 31

An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team’s policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The procurement team wants administration of Private Marketplace to be restricted to a role named procurement-manager-role, which could be assumed by procurement managers. Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access.
What is the MOST efficient way to design an architecture to meet these requirements?

1. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
2. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
3. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
4. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.

**Answer: **

Explanation:

## Question 32

A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2, Amazon S3, and Amazon DynamoDB. The developers account resides in a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEC2",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowDynamoDB",
      "Effect": "Allow",
      "Action": "dynamodb:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowS3",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
```
When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy.

What should the solutions architect do to eliminate the developers’ ability to use services outside the scope of this policy?

1. Create an explicit deny statement for each AWS service that should be constrained.
2. Remove the FullAWSAccess SCP from the developers account’s OU.
3. Modify the FullAWSAccess SCP to explicitly deny all services.
4. Add an explicit deny statement using a wildcard to the end of the SCP.

**Answer: 2**

Explanation:
- Because the given SCP is `Allow` statement and `FullAWSAccess` is attached to OU [SCP evaluation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html)
> when you enable SCPs, AWS Organizations attaches an AWS managed SCP policy named FullAWSAccess which allows all services and actions

## Question 33

A company is hosting a monolithic REST-based API for a mobile app on five Amazon EC2 instances in public subnets of a VPC. Mobile clients connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing policy with the IP addresses of all the EC2 instances. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app has not been able to keep up with the traffic.
   
A solutions architect needs to implement a solution so that the app can handle the new and varying load.

Which solution will meet these requirements with the LEAST operational overhead?

1. Separate the API into individual AWS Lambda functions. Configure an Amazon API Gateway REST API with Lambda integration for the backend. Update the Route 53 record to point to the API Gateway API.
2. Containerize the API logic. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Run the containers in the cluster by using Amazon EC2. Create a Kubernetes ingress. Update the Route 53 record to point to the Kubernetes ingress.
3. Create an Auto Scaling group. Place all the EC2 instances in the Auto Scaling group. Configure the Auto Scaling group to perform scaling actions that are based on CPU utilization. Create an AWS Lambda function that reacts to Auto Scaling group changes and updates the Route 53 record.
4. Create an Application Load Balancer (ALB) in front of the API. Move the EC2 instances to private subnets in the VPC. Add the EC2 instances as targets for the ALB. Update the Route 53 record to point to the ALB.

**Answer: 1**

Explanation:
- 2: This solution run EKS cluster with EC2 instead on [AWS Fargate](https://docs.aws.amazon.com/eks/latest/userguide/fargate.html), it can not scale up the number of instance when a large increases of traffic comes
> Fargate is a technology that provides on-demand, right-sized compute capacity for containers.
- 3: When compare this option with using Lambda function, a serverless compute service that lets you run code without provisioning or managing servers, Lambda will be cheaper because it's only base on the number of request. [Lambda pricing](https://aws.amazon.com/lambda/pricing/)
- 4: This option add an [ALB](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) which only help distribute load but does not help scale the system to meet the sudden traffic
> The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances,


## Question 34

A company has created an OU in AWS Organizations for each of its engineering teams. Each OU owns multiple AWS accounts. The organization has hundreds of AWS accounts.

A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts.

Which solution meets these requirements?

1. Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager. Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
2. Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account. Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
3. Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account. Allow each team to visualize the CUR through an Amazon QuickSight dashboard.
4. Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager. Allow each team to visualize the CUR through Systems Manager OpsCenter dashboards.

**Answer: 2**

Explanation:
- 1: [AWS Resource Access Manager](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ram.html) is used for sharing specified AWS resources that you own with other AWS accounts
- 3: [Using Cost and Usage Reports for AWS Organizations](https://docs.aws.amazon.com/cur/latest/userguide/cur-consolidated-billing.html)
> If you have permissions to create a Cost and Usage Report for a member account within an organization, you can create a report for only the member account’s cost and usage data
- 4: [AWS recommend using QuickSight for visualization](https://docs.aws.amazon.com/cur/latest/userguide/cur-query-other.html#cur-query-other-qs)

## Question 35

A company is storing data on premises on a Windows file server. The company produces 5 GB of new data daily.
The company migrated part of its Windows-based workload to AWS and needs the data to be available on a file system in the cloud. The company already has established an AWS Direct Connect connection between the on-premises network and AWS.
Which data migration strategy should the company use?

1. Use the file gateway option in AWS Storage Gateway to replace the existing Windows file server, and point the existing file share to the new file gateway.
2. Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon FSx.
3. Use AWS Data Pipeline to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File System (Amazon EFS).
4. Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File System (Amazon EFS).

**Answer: **

Explanation:

## Question 36

A company’s solutions architect is reviewing a web application that runs on AWS. The application references static assets in an Amazon S3 bucket in the us-east-1 Region. The company needs resiliency across multiple AWS Regions. The company already has created an S3 bucket in a second Region.

Which solution will meet these requirements with the LEAST operational overhead?

1. Configure the application to write each object to both S3 buckets. Set up an Amazon Route 53 public hosted zone with a record set by using a weighted routing policy for each S3 bucket. Configure the application to reference the objects by using the Route 53 DNS name.
2. Create an AWS Lambda function to copy objects from the S3 bucket in us-east-1 to the S3 bucket in the second Region. Invoke the Lambda function each time an object is written to the S3 bucket in us-east-1. Set up an Amazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.
3. Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region. Set up an Amazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.
4. Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region. If failover is required, update the application code to load S3 objects from the S3 bucket in the second Region.

**Answer: 3**

Explanation:
- 1: Operational overhead increases because the application has to write to both S3 buckets.
- 2: Using Lambda instead built-in [Cross-Region Replication](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html#crr-scenario) will add complexity
- 4: [CloudFront distribution with origin group](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginGroup.html) includes failover mechanism already, we don't have to update application manually

## Question 37

A company is hosting a three-tier web application in an on-premises environment. Due to a recent surge in traffic that resulted in downtime and a significant financial impact, company management has ordered that the application be moved to AWS. The application is written in .NET and has a dependency on a MySQL database. A solutions architect must design a scalable and highly available solution to meet the demand of 200,000 daily users.

Which steps should the solutions architect take to design an appropriate solution?

1. Use AWS Elastic Beanstalk to create a new application with a web server environment and an Amazon RDS MySQL Multi-AZ DB instance. The environment should launch a Network Load Balancer (NLB) in front of an Amazon EC2 Auto Scaling group in multiple Availability Zones. Use an Amazon Route 53 alias record to route traffic from the company’s domain to the NLB.
2. Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon EC2 Auto Scaling group spanning three Availability Zones. The stack should launch a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a Retain deletion policy. Use an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB.
3. Use AWS Elastic Beanstalk to create an automatically scaling web server environment that spans two separate Regions with an Application Load Balancer (ALB) in each Region. Create a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a cross-Region read replica. Use Amazon Route 53 with a geoproximity routing policy to route traffic between the two Regions.
4. Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon ECS cluster of Spot instances spanning three Availability Zones. The stack should launch an Amazon RDS MySQL DB instance with a Snapshot deletion policy. Use an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB.

**Answer: **

Explanation:
- 1: Amazon Aurora with Multi-AZ deployments provides higher availability and scalable then an RDS MySQL Multi-AZ DB instance
- 3: AWS Elastic Beanstalk does not support spans 2 seperate Reigions
- 4: [Spot instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html) can not afford the requirement of high availability
> Spot Instances are a cost-effective choice if you can be flexible about when your applications run and if your applications can be interrupted

## Question 38

A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts.

A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of CloudFormation stacks. Trusted access has been enabled in Organizations.

What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?

1. Create a stack set in the Organizations member accounts. Use service-managed permissions. Set deployment options to deploy to an organization. Use CloudFormation StackSets drift detection.
2. Create stacks in the Organizations member accounts. Use self-service permissions. Set deployment options to deploy to an organization. Enable the CloudFormation StackSets automatic deployment.
3. Create a stack set in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets automatic deployment.
4. Create stacks in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets drift detection.

#### Unknow terms:
- [CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation

**Answer: 3**

Explanation:
- [Use CloudFormation StackSets to Provision Resources Across Multiple AWS Accounts and Regions](https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/)
> The administrator account owns one or more StackSets and controls deployment to one or more target accounts.

## Question 39

A company wants to migrate its workloads from on premises to AWS. The workloads run on Linux and Windows. The company has a large on-premises infrastructure that consists of physical machines and VMs that host numerous applications.

The company must capture details about the system configuration, system performance, running processes, and network connections of its on-premises workloads. The company also must divide the on-premises applications into groups for AWS migrations. The company needs recommendations for Amazon EC2 instance types so that the company can run its workloads on AWS in the most cost-effective manner.

Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)

1. Assess the existing applications by installing AWS Application Discovery Agent on the physical machines and VMs.
2. Assess the existing applications by installing AWS Systems Manager Agent on the physical machines and VMs.
3. Group servers into applications for migration by using AWS Systems Manager Application Manager.
4. Group servers into applications for migration by using AWS Migration Hub.
5. Generate recommended instance types and associated costs by using AWS Migration Hub.
6. Import data about server sizes into AWS Trusted Advisor. Follow the recommendations for cost optimization.

**Answer: 1, 4, 5**

Explanation:
- 1: use [AWS Application Discovery Agent](https://docs.aws.amazon.com/application-discovery/latest/userguide/discovery-agent.html), software that you install on on-premises servers and VMs targeted for discovery and migration, instead of [AWS Systems Manager Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html), Amazon software used for managing VM
- 4: [AWS Systems Manager Application Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/application-manager.html) can only group resources in AWS
- 5: [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) does not have import server data to get recommendation 
> Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.

## Question 40

A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone contains one public subnet and one private subnet.

The service runs on Amazon EC2 instances in the private subnets. An Application Load Balancer in the public subnets is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. The service uses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 ТВ of data from an S3 bucket each day.

The company has promoted the service as highly secure. A solutions architect must reduce cloud expenditures as much as possible without compromising the service’s security posture or increasing the time spent on ongoing operations.

Which solution will meet these requirements?

1. Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.
2. Move the EC2 instances to the public subnets. Remove the NAT gateways.
3. Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.
4. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the images on the EFS volume.

**Answer: 3**

Explanation:
- [NAT gateway pricing](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-pricing)
> If most traffic through your NAT gateway is to AWS services that support interface endpoints or gateway endpoints, consider creating an interface endpoint or gateway endpoint for these services. For more information about the potential cost savings
- 1: Replace the NAT gateways with NAT instances will not only not reduce cloud expenditures but also introduce an operational cost
- 2: The services's security posture will be compromised. [Subnet security](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-security)
> To protect your AWS resources, we recommend that you use private subnets. Use a bastion host or NAT device to provide internet access to resources, such as EC2 instances, in a private subnet.
- 4: EFS will not help reduce the cose