SAA L2P 601-650 v24.021

Question 1

QUESTION 650
A company has a financial application that produces reports. The reports average 50 KB in size
and are stored in Amazon S3. The reports are frequently accessed during the first week after
production and must be stored for several years. The reports must be retrievable within 6 hours.
Which solution meets these requirements MOST cost-effectively?
A. Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Glacier after 7 days.
B. Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Standard-Infrequent
Access (S3 Standard-IA) after 7 days.
C. Use S3 Intelligent-Tiering. Configure S3 Intelligent-Tiering to transition the reports to S3
Standard-Infrequent Access (S3 Standard-IA) and S3 Glacier.
D. Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Glacier Deep Archive
after 7 days.

Answer 1

A. Use S3 Standard. Use an S3 Lifecycle rule to transition the reports to S3 Glacier after 7 days.

Explanation:
Amazon S3 Glacier:
Expedited Retrieval: Provides access to data within 1-5 minutes.
Standard Retrieval: Provides access to data within 3-5 hours.
Bulk Retrieval: Provides access to data within 5-12 hours.
Amazon S3 Glacier Deep Archive:
Standard Retrieval: Provides access to data within 12 hours.
Bulk Retrieval: Provides access to data within 48 hours.

Question 2

QUESTION 649
A company is using AWS Key Management Service (AWS KMS) keys to encrypt AWS Lambda
environment variables. A solutions architect needs to ensure that the required permissions are in
place to decrypt and use the environment variables.
Which steps must the solutions architect take to implement the correct permissions? (Choose
two.)
A. Add AWS KMS permissions in the Lambda resource policy.
B. Add AWS KMS permissions in the Lambda execution role.
C. Add AWS KMS permissions in the Lambda function policy.
D. Allow the Lambda execution role in the AWS KMS key policy.
E. Allow the Lambda resource policy in the AWS KMS key policy.

Answer 2

B. Add AWS KMS permissions in the Lambda execution role.
D. Allow the Lambda execution role in the AWS KMS key policy.

Explanation:
To decrypt environment variables encrypted with AWS KMS, Lambda needs to be granted
permissions to call KMS APIs. This is done in two places:
The Lambda execution role needs kms:Decrypt and kms:GenerateDataKey permissions added.
The execution role governs what AWS services the function code can access.
The KMS key policy needs to allow the Lambda execution role to have kms:Decrypt and
kms:GenerateDataKey permissions for that specific key. This allows the execution role to use that particular key.

Question 3

QUESTION 648
A company has created a multi-tier application for its ecommerce website. The website uses an
Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and
a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database
needs to retrieve product catalog and pricing information that is hosted on the internet by a third-
party provider. A solutions architect must devise a strategy that maximizes security without
increasing operational overhead.
What should the solutions architect do to meet these requirements?
A. Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
B. Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all
internet-bound traffic to the NAT gateway.
C. Configure an internet gateway and attach it to the VPModify the private subnet route table to
direct internet-bound traffic to the internet gateway.
D. Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table
to direct internet-bound traffic to the virtual private gateway.

Answer 3

B. Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all
internet-bound traffic to the NAT gateway.

Question 4

QUESTION 647
A company has separate AWS accounts for its finance, data analytics, and development
departments. Because of costs and security concerns, the company wants to control which
services each AWS account can use.
Which solution will meet these requirements with the LEAST operational overhead?

A. Use AWS Systems Manager templates to control which AWS services each department can use.
B. Create organization units (OUs) for each department in AWS Organizations. Attach service
control policies (SCPs) to the OUs.
C. Use AWS CloudFormation to automatically provision only the AWS services that each department
can use.
D. Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the
usage of specific AWS services.

Answer 4

B. Create organization units (OUs) for each department in AWS Organizations. Attach service
control policies (SCPs) to the OUs.

Question 5

QUESTION 646
A company has data collection sensors at different locations. The data collection sensors stream
a high volume of data to the company. The company wants to design a platform on AWS to
ingest and process high-volume streaming data. The solution must be scalable and support data
collection in near real time. The company must store the data in Amazon S3 for future reporting.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use Amazon Kinesis Data Firehose to deliver streaming data to Amazon S3.
B. Use AWS Glue to deliver streaming data to Amazon S3.
C. Use AWS Lambda to deliver streaming data and store the data to Amazon S3.
D. Use AWS Database Migration Service (AWS DMS) to deliver streaming data to Amazon S3.

Answer 5

A. Use Amazon Kinesis Data Firehose to deliver streaming data to Amazon S3.

Explanation:
Amazon Kinesis Data Firehose: Capture, transform, and load data streams into AWS data stores
(S3) in near real-time.

Question 6

QUESTION 645
A recent analysis of a company’s IT expenses highlights the need to reduce backup costs. The
company’s chief information officer wants to simplify the on-premises backup infrastructure and
reduce costs by eliminating the use of physical backup tapes. The company must preserve the
existing investment in the on-premises backup applications and workflows.
What should a solutions architect recommend?
A. Set up AWS Storage Gateway to connect with the backup applications using the NFS interface.
B. Set up an Amazon EFS file system that connects with the backup applications using the NFS
interface.
C. Set up an Amazon EFS file system that connects with the backup applications using the iSCSI
interface.
D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual
tape library (VTL) interface.

Answer 6

D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual
tape library (VTL) interface.

Explanation:
https://aws.amazon.com/storagegateway/vtl/?nc1=h_ls

Question 7

QUESTION 644
A retail company uses a regional Amazon API Gateway API for its public REST APIs. The API
Gateway endpoint is a custom domain name that points to an Amazon Route 53 alias record. A
solutions architect needs to create a solution that has minimal effects on customers and minimal
data loss to release the new version of APIs.
Which solution will meet these requirements?
A. Create a canary release deployment stage for API Gateway. Deploy the latest API version. Point
an appropriate percentage of traffic to the canary stage. After API verification, promote the canary
stage to the production stage.
B. Create a new API Gateway endpoint with a new version of the API in OpenAPI YAML file format.
Use the import-to-update operation in merge mode into the API in API Gateway. Deploy the new
version of the API to the production stage.
C. Create a new API Gateway endpoint with a new version of the API in OpenAPI JSON file format.
Use the import-to-update operation in overwrite mode into the API in API Gateway. Deploy the
new version of the API to the production stage.
D. Create a new API Gateway endpoint with new versions of the API definitions. Create a custom
domain name for the new API Gateway API. Point the Route 53 alias record to the new API
Gateway API custom domain name.

Answer 7

A. Create a canary release deployment stage for API Gateway. Deploy the latest API version. Point
an appropriate percentage of traffic to the canary stage. After API verification, promote the canary
stage to the production stage.

In a canary release deployment, total API traffic is separated at random into a production release
and a canary release with a pre-configured ratio. Typically, the canary release receives a small
percentage of API traffic and the production release takes up the rest. The updated API features
are only visible to API traffic through the canary. You can adjust the canary traffic percentage to
optimize test coverage or performance.
https://docs.aws.amazon.com/apigateway/latest/developerguide/canary-release.html

Question 8

QUESTION 643
A company runs Amazon EC2 instances in multiple AWS accounts that are individually bled. The company recently purchased a Savings Plan. Because of changes in the company’s business requirements, the company has decommissioned a large number of EC2 instances. The company wants to use its Savings Plan discounts on its other AWS accounts.

Which combination of steps will meet these requirements? (Choose two.)

A. From the AWS Account Management Console of the management account, turn on discount sharing from the billing preferences section.

B. From the AWS Account Management Console of the account that purchased the existing Savings Plan, turn on discount sharing from the billing preferences section. Include all accounts.

C. From the AWS Organizations management account, use AWS Resource Access Manager (AWS RAM) to share the Savings Plan with other accounts.

D. Create an organization in AWS Organizations in a new payer account. Invite the other AWS accounts to join the organization from the management account.

E. Create an organization in AWS Organizations in the existing AWS account with the existing EC2 instances and Savings Plan. Invite the other AWS accounts to join the organization from the management account.

Answer 8

A. From the AWS Account Management Console of the management account, turn on discount
sharing from the billing preferences section.
E. Create an organization in AWS Organizations in the existing AWS account with the existing EC2
instances and Savings Plan. Invite the other AWS accounts to join the organization from the
management account.

Explanation:
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ri-turn-off.html

Question 9

QUESTION 642
A media company uses an Amazon CloudFront distribution to deliver content over the internet.
The company wants only premium customers to have access to the media streams and file
content. The company stores all content in an Amazon S3 bucket. The company also delivers
content on demand to customers for a specific purpose, such as movie rentals or music
downloads.
Which solution will meet these requirements?
A. Generate and provide S3 signed cookies to premium customers.
B. Generate and provide CloudFront signed URLs to premium customers.
C. Use origin access control (OAC) to limit the access of non-premium customers.
D. Generate and activate field-level encryption to block non-premium customers.

Answer 9

B. Generate and provide CloudFront signed URLs to premium customers.

Question 10

QUESTION 641
A company wants to build a web application on AWS. Client access requests to the website are
not predictable and can be idle for a long time. Only customers who have paid a subscription fee
can have the ability to sign in and use the web application.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)
A. Create an AWS Lambda function to retrieve user information from Amazon DynamoDB. Create
an Amazon API Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda
function.
B. Create an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load
Balancer to retrieve user information from Amazon RDS. Create an Amazon API Gateway
endpoint to accept RESTful APIs. Send the API calls to the Lambda function.
C. Create an Amazon Cognito user pool to authenticate users.
D. Create an Amazon Cognito identity pool to authenticate users.
E. Use AWS Amplify to serve the frontend web content with HTML, CSS, and JS. Use an integrated
Amazon CloudFront configuration.
F. Use Amazon S3 static web hosting with PHP, CSS, and JS. Use Amazon CloudFront to serve the
frontend web content.

Answer 10

A. Create an AWS Lambda function to retrieve user information from Amazon DynamoDB. Create
an Amazon API Gateway endpoint to accept RESTful APIs. Send the API calls to the Lambda
function.
C. Create an Amazon Cognito user pool to authenticate users.
E. Use AWS Amplify to serve the frontend web content with HTML, CSS, and JS. Use an integrated
Amazon CloudFront configuration.

Create a web application = AWS Amplify Sign in users = Amazon Cognito User Pool Traffic may be idle for a long time = AWS Lambda Amazon S3 does not support server-side scripts such as PHP, JSP, or ASP.NET. https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html? Icmpid=docs_amazon s3_console#:~:text=website%20relies%20on-,server%2Dside,-processing%2C%20including%20server Traffic may be idle for a long time = AWS Lambda Use the exclude method: No need to container (does not need to run all the time), remove B. PHP cannot run with static Amazon S3, remove F.(S3 doesn’t support server-side scripts, PHP is a server-side script)

Option B (Amazon ECS) is not the best option since the website “can be idle for a long time”, so Lambda (Option A) is a more cost-effective choice. Option D is incorrect because User pools are for authentication (identity verification) while Identity pools are for authorization (access control). Option F is wrong because S3 web hosting only supports static web files like HTML/CSS, and does not support PHP or JavaScript.

Question 11

QUESTION 640
A company has an on-premises server that uses an Oracle database to process and store
customer information. The company wants to use an AWS database service to achieve higher
availability and to improve application performance. The company also wants to offload reporting
from its primary database system.
Which solution will meet these requirements in the MOST operationally efficient way?
A. Use AWS Database Migration Service (AWS DMS) to create an Amazon RDS DB instance in
multiple AWS Regions. Point the reporting functions toward a separate DB instance from the
primary DB instance.
B. Use Amazon RDS in a Single-AZ deployment to create an Oracle database. Create a read replica
in the same zone as the primary DB instance. Direct the reporting functions to the read replica.
C. Use Amazon RDS deployed in a Multi-AZ cluster deployment to create an Oracle database.
Direct the reporting functions to use the reader instance in the cluster deployment.
D. Use Amazon RDS deployed in a Multi-AZ instance deployment to create an Amazon Aurora
database. Direct the reporting functions to the reader instances.

Answer 11

C. Use Amazon RDS deployed in a Multi-AZ cluster deployment to create an Oracle database.
Direct the reporting functions to use the reader instance in the cluster deployment.

https://aws.amazon.com/rds/oracle/#

Question 12

QUESTION 639
A company wants to use the AWS Cloud to improve its on-premises disaster recovery (DR)
configuration. The company’s core production business application uses Microsoft SQL Server
Standard, which runs on a virtual machine (VM). The application has a recovery point objective
(RPO) of 30 seconds or fewer and a recovery time objective (RTO) of 60 minutes. The DR
solution needs to minimize costs wherever possible.
Which solution will meet these requirements?
A. Configure a multi-site active/active setup between the on-premises server and AWS by using
Microsoft SQL Server Enterprise with Always On availability groups.
B. Configure a warm standby Amazon RDS for SQL Server database on AWS. Configure AWS
Database Migration Service (AWS DMS) to use change data capture (CDC).
C. Use AWS Elastic Disaster Recovery configured to replicate disk changes to AWS as a pilot light.
D. Use third-party backup software to capture backups every night. Store a secondary set of
backups in Amazon S3.

Answer 12

C. Use AWS Elastic Disaster Recovery configured to replicate disk changes to AWS as a pilot light.

https://aws.amazon.com/tw/blogs/architecture/disaster-recovery-dr-architecture-on-aws-part-iii-pilot-light-and-warm-standby/

Other options:
B. Configure a warm standby Amazon RDS for SQL Server database on AWS. Configure AWS Database Migration Service (AWS DMS) to use change data capture (CDC). – RDS might not support all features. Not going like-for-like

Question 13

QUESTION 638
A global video streaming company uses Amazon CloudFront as a content distribution network
(CDN). The company wants to roll out content in a phased manner across multiple countries. The
company needs to ensure that viewers who are outside the countries to which the company rolls
out content are not able to view the content.
Which solution will meet these requirements?
A. Add geographic restrictions to the content in CloudFront by using an allow list. Set up a custom
error message.
B. Set up a new URL tor restricted content. Authorize access by using a signed URL and cookies.
Set up a custom error message.
C. Encrypt the data for the content that the company distributes. Set up a custom error message.
D. Create a new URL for restricted content. Set up a time-restricted access policy for signed URLs.

Answer 13

A. Add geographic restrictions to the content in CloudFront by using an allow list. Set up a custom
error message.

Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

Question 14

QUESTION 637
A company runs a three-tier web application in the AWS Cloud that operates across three
Availability Zones. The application architecture has an Application Load Balancer, an Amazon
EC2 web server that hosts user session states, and a MySQL database that runs on an EC2
instance. The company expects sudden increases in application traffic. The company wants to be
able to scale to meet future application capacity demands and to ensure high availability across
all three Availability Zones.
Which solution will meet these requirements?
A. Migrate the MySQL database to Amazon RDS for MySQL with a Multi-AZ DB cluster deployment.
Use Amazon ElastiCache for Redis with high availability to store session data and to cache
reads. Migrate the web server to an Auto Scaling group that is in three Availability Zones.
B. Migrate the MySQL database to Amazon RDS for MySQL with a Multi-AZ DB cluster deployment.
Use Amazon ElastiCache for Memcached with high availability to store session data and to cache
reads. Migrate the web server to an Auto Scaling group that is in three Availability Zones.
C. Migrate the MySQL database to Amazon DynamoDB Use DynamoDB Accelerator (DAX) to cache reads. Store the session data in DynamoDB. Migrate the web server to an Auto Scaling
group that is in three Availability Zones.
D. Migrate the MySQL database to Amazon RDS for MySQL in a single Availability Zone. Use
Amazon ElastiCache for Redis with high availability to store session data and to cache reads.
Migrate the web server to an Auto Scaling group that is in three Availability Zones.

Answer 14

A. Migrate the MySQL database to Amazon RDS for MySQL with a Multi-AZ DB cluster deployment.
Use Amazon ElastiCache for Redis with high availability to store session data and to cache
reads. Migrate the web server to an Auto Scaling group that is in three Availability Zones.

Explanation:
Memcached is best suited for caching data, while Redis is better for storing data that needs to be
persisted. If you need to store data that needs to be accessed frequently, such as user profiles,
session data, and application settings, then Redis is the better choice.

Question 15

QUESTION 636
A company wants to provide data scientists with near real-time read-only access to the
company’s production Amazon RDS for PostgreSQL database. The database is currently
configured as a Single-AZ database. The data scientists use complex queries that will not affect
the production database. The company needs a solution that is highly available.
Which solution will meet these requirements MOST cost-effectively?
A. Scale the existing production database in a maintenance window to provide enough power for the
data scientists.
B. Change the setup from a Single-AZ to a Multi-AZ instance deployment with a larger secondary
standby instance. Provide the data scientists access to the secondary instance.
C. Change the setup from a Single-AZ to a Multi-AZ instance deployment. Provide two additional
read replicas for the data scientists.
D. Change the setup from a Single-AZ to a Multi-AZ cluster deployment with two readable standby
instances. Provide read endpoints to the data scientists.

Answer 15

D. Change the setup from a Single-AZ to a Multi-AZ cluster deployment with two readable standby
instances. Provide read endpoints to the data scientists.

Explanation:
Multi-AZ instance: the standby instance doesn’t serve any read or write traffic.
Multi-AZ DB cluster: consists of primary instance running in one AZ serving read-write traffic and
two other standby running in two different AZs serving read traffic.
https://aws.amazon.com/blogs/database/choose-the-right-amazon-rds-deployment-option-single-
az-instance-multi-az-instance-or-multi-az-database-cluster/

C would mean you are paying for 4 instances (primary, backup, and 2 read instances). D would be 3 (primary, and 2 backup).

multi AZ cluster have reader endpoint. multi AZ instance secondary replicate is not allow to access (need to investigate to ensure validity from link above)

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html

Question 16

QUESTION 635
A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its
workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd
key-value store.
Which solution will meet these requirements?
A. Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to
manage, rotate, and store all secrets in Amazon EKS.
B. Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
C. Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store
(Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
D. Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias.
Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.

Answer 16

B. Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.

EKS supports using AWS KMS keys to provide envelope encryption of Kubernetes secrets stored in EKS. Envelope encryption adds an addition, customer-managed layer of encryption for application secrets or user data that is stored within a Kubernetes cluster. https://eksctl.io/usage/kms-encryption/ option A does not enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster

Explanation:
https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html

Question 17

QUESTION 634
A company wants to build a logging solution for its multiple AWS accounts. The company
currently stores the logs from all accounts in a centralized account. The company has created an
Amazon S3 bucket in the centralized account to store the VPC flow logs and AWS CloudTrail
logs. All logs must be highly available for 30 days for frequent analysis, retained for an additional
60 days for backup purposes, and deleted 90 days after creation.
Which solution will meet these requirements MOST cost-effectively?
A. Transition objects to the S3 Standard storage class 30 days after creation. Write an expiration
action that directs Amazon S3 to delete objects after 90 days.
B. Transition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class 30 days
after creation. Move all objects to the S3 Glacier Flexible Retrieval storage class after 90 days.
Write an expiration action that directs Amazon S3 to delete objects after 90 days.
C. Transition objects to the S3 Glacier Flexible Retrieval storage class 30 days after creation. Write
an expiration action that directs Amazon S3 to delete objects after 90 days.
D. Transition objects to the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class 30
days after creation. Move all objects to the S3 Glacier Flexible Retrieval storage class after 90
days. Write an expiration action that directs Amazon S3 to delete objects after 90 days.

Answer 17

C. Transition objects to the S3 Glacier Flexible Retrieval storage class 30 days after creation. Write
an expiration action that directs Amazon S3 to delete objects after 90 days.

Question 18

QUESTION 633
A company stores data in Amazon S3. According to regulations, the data must not contain
personally identifiable information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The company needs to automatically detect PII in S3 buckets and
to notify the company’s security team.
Which solution will meet these requirements?
A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type
from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS)
notification to the security team.
B. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type
from GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS)
notification to the security team.
C. Use Amazon Macie. Create an Amazon EventBridge rule to filter the
SensitiveData:S3Object/Personal event type from Macie findings and to send an Amazon Simple
Queue Service (Amazon SQS) notification to the security team.
D. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type
from GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS)
notification to the security team.

Answer 18

A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type
from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS)

Question 19

QUESTION 632
A company has a workload in an AWS Region. Customers connect to and access the workload
by using an Amazon API Gateway REST API. The company uses Amazon Route 53 as its DNS
provider. The company wants to provide individual and secure URLs for all customers.
Which combination of steps will meet these requirements with the MOST operational efficiency?
(Choose three.)
A. Register the required domain in a registrar. Create a wildcard custom domain name in a Route 53
hosted zone and record in the zone that points to the API Gateway endpoint.
B. Request a wildcard certificate that matches the domains in AWS Certificate Manager (ACM) in a
different Region.
C. Create hosted zones for each customer as required in Route 53. Create zone records that point
to the API Gateway endpoint.
D. Request a wildcard certificate that matches the custom domain name in AWS Certificate Manager
(ACM) in the same Region.
E. Create multiple API endpoints for each customer in API Gateway.
F. Create a custom domain name in API Gateway for the REST API. Import the certificate from AWS
Certificate Manager (ACM).

Answer 19

A. Register the required domain in a registrar. Create a wildcard custom domain name in a Route 53
hosted zone and record in the zone that points to the API Gateway endpoint.
D. Request a wildcard certificate that matches the custom domain name in AWS Certificate Manager
(ACM) in the same Region.
F. Create a custom domain name in API Gateway for the REST API. Import the certificate from AWS
Certificate Manager (ACM).

Using a wildcard domain and certificate avoids managing individual domains/certs per customer. This is more efficient. The domain, hosted zone, and certificate should all be in the same region as the API Gateway REST API for simplicity. Creating multiple API endpoints per customer (Option E) adds complexity and is not required. Option B and C add unnecessary complexity by separating domains, certificates, and hosted zones.

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html

Step A involves registering the required domain in a registrar and creating a wildcard custom domain name in a Route 53 hosted zone. This allows you to map individual and secure URLs for all customers to your API Gateway endpoints. Step D is to request a wildcard certificate from AWS Certificate Manager (ACM) that matches the custom domain name you created in Step A. This wildcard certificate will cover all subdomains and ensure secure HTTPS communication. Step F is to create a custom domain name in API Gateway for your REST API. This allows you to associate the custom domain name with your API Gateway endpoints and import the certificate from ACM for secure communication.

Question 20

QUESTION 631
A company needs to integrate with a third-party data feed. The data feed sends a webhook to
notify an external service when new data is ready for consumption. A developer wrote an AWS
Lambda function to retrieve data when the company receives a webhook callback. The developer
must make the Lambda function available for the third party to call.
Which solution will meet these requirements with the MOST operational efficiency?
A. Create a function URL for the Lambda function. Provide the Lambda function URL to the third
party for the webhook.
B. Deploy an Application Load Balancer (ALB) in front of the Lambda function. Provide the ALB URL
to the third party for the webhook.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Attach the topic to the
Lambda function. Provide the public hostname of the SNS topic to the third party for the webhook.
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Attach the queue to the
Lambda function. Provide the public hostname of the SQS queue to the third party for the
webhook.

Answer 20

A. Create a function URL for the Lambda function. Provide the Lambda function URL to the third
party for the webhook.

Keyword “Lambda function” and “webhook”. See https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-saas-furls.html#create-stripe-cfn-stack

Explanation:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html

Question 21

QUESTION 630
A company has an online gaming application that has TCP and UDP multiplayer gaming
capabilities. The company uses Amazon Route 53 to point the application traffic to multiple
Network Load Balancers (NLBs) in different AWS Regions. The company needs to improve
application performance and decrease latency for the online game in preparation for user growth.
Which solution will meet these requirements?
A. Add an Amazon CloudFront distribution in front of the NLBs. Increase the Cache-Control max-age
parameter.
B. Replace the NLBs with Application Load Balancers (ALBs). Configure Route 53 to use latency-
based routing.
C. Add AWS Global Accelerator in front of the NLBs. Configure a Global Accelerator endpoint to use
the correct listener ports.
D. Add an Amazon API Gateway endpoint behind the NLBs. Enable API caching. Override method caching for the different stages.

Answer 21

C. Add AWS Global Accelerator in front of the NLBs. Configure a Global Accelerator endpoint to use
the correct listener ports.

Question 22

QUESTION 629
A company is migrating its workloads to AWS. The company has transactional and sensitive data
in its databases. The company wants to use AWS Cloud solutions to increase security and
reduce operational overhead for the databases.
Which solution will meet these requirements?
A. Migrate the databases to Amazon EC2. Use an AWS Key Management Service (AWS KMS)
AWS managed key for encryption.
B. Migrate the databases to Amazon RDS Configure encryption at rest.
C. Migrate the data to Amazon S3 Use Amazon Macie for data security and protection
D. Migrate the database to Amazon RDS. Use Amazon CloudWatch Logs for data security and
protection.

Answer 22

B. Migrate the databases to Amazon RDS Configure encryption at rest.

Question 23

QUESTION 628
A data analytics company wants to migrate its batch processing system to AWS. The company
receives thousands of small data files periodically during the day through FTP. An on-premises
batch job processes the data files overnight. However, the batch job takes hours to finish running.
The company wants the AWS solution to process incoming data files as soon as possible with
minimal changes to the FTP clients that send the files. The solution must delete the incoming
data files after the files have been processed successfully. Processing for each file needs to take
3-8 minutes.
Which solution will meet these requirements in the MOST operationally efficient way?
A. Use an Amazon EC2 instance that runs an FTP server to store incoming files as objects in
Amazon S3 Glacier Flexible Retrieval. Configure a job queue in AWS Batch. Use Amazon
EventBridge rules to invoke the job to process the objects nightly from S3 Glacier Flexible
Retrieval. Delete the objects after the job has processed the objects.
B. Use an Amazon EC2 instance that runs an FTP server to store incoming files on an Amazon
Elastic Block Store (Amazon EBS) volume. Configure a job queue in AWS Batch. Use Amazon
EventBridge rules to invoke the job to process the files nightly from the EBS volume. Delete the
files after the job has processed the files.
C. Use AWS Transfer Family to create an FTP server to store incoming files on an Amazon Elastic
Block Store (Amazon EBS) volume. Configure a job queue in AWS Batch. Use an Amazon S3
event notification when each file arrives to invoke the job in AWS Batch. Delete the files after the
job has processed the files.
D. Use AWS Transfer Family to create an FTP server to store incoming files in Amazon S3
Standard. Create an AWS Lambda function to process the files and to delete the files after they
are processed. Use an S3 event notification to invoke the Lambda function when the files arrive.

Answer 23

D. Use AWS Transfer Family to create an FTP server to store incoming files in Amazon S3
Standard. Create an AWS Lambda function to process the files and to delete the files after they
are processed. Use an S3 event notification to invoke the Lambda function when the files arrive.

Question 24

QUESTION 627
A company has a regional subscription-based streaming service that runs in a single AWS
Region. The architecture consists of web servers and application servers on Amazon EC2
instances. The EC2 instances are in Auto Scaling groups behind Elastic Load Balancers. The
architecture includes an Amazon Aurora global database cluster that extends across multiple
Availability Zones.
The company wants to expand globally and to ensure that its application has minimal downtime.
Which solution will provide the MOST fault tolerance?
A. Extend the Auto Scaling groups for the web tier and the application tier to deploy instances in
Availability Zones in a second Region. Use an Aurora global database to deploy the database in
the primary Region and the second Region. Use Amazon Route 53 health checks with a failover
routing policy to the second Region.
B. Deploy the web tier and the application tier to a second Region. Add an Aurora PostgreSQL
cross-Region Aurora Replica in the second Region. Use Amazon Route 53 health checks with a
failover routing policy to the second Region. Promote the secondary to primary as needed.
C. Deploy the web tier and the application tier to a second Region. Create an Aurora PostgreSQL
database in the second Region. Use AWS Database Migration Service (AWS DMS) to replicate
the primary database to the second Region. Use Amazon Route 53 health checks with a failover
routing policy to the second Region.
D. Deploy the web tier and the application tier to a second Region. Use an Amazon Aurora global
database to deploy the database in the primary Region and the second Region. Use Amazon
Route 53 health checks with a failover routing policy to the second Region. Promote the
secondary to primary as needed.

Answer 24

D. Deploy the web tier and the application tier to a second Region. Use an Amazon Aurora global
database to deploy the database in the primary Region and the second Region. Use Amazon
Route 53 health checks with a failover routing policy to the second Region. Promote the
secondary to primary as needed.

Explanation:
Aws Aurora Global Database allows you to read and write from any region in the global cluster.
This enables you to distribute read and write workloads globally, improving performance and
reducing latency. Data is replicated synchronously across regions, ensuring strong consistency.

Question 25

QUESTION 626
A solutions architect is reviewing the resilience of an application. The solutions architect notices
that a database administrator recently failed over the application’s Amazon Aurora PostgreSQL
database writer instance as part of a scaling exercise. The failover resulted in 3 minutes of
downtime for the application.
Which solution will reduce the downtime for scaling exercises with the LEAST operational
overhead?

A. Create more Aurora PostgreSQL read replicas in the cluster to handle the load during failover.
B. Set up a secondary Aurora PostgreSQL cluster in the same AWS Region. During failover, update
the application to use the secondary cluster’s writer endpoint.
C. Create an Amazon ElastiCache for Memcached cluster to handle the load during failover.
D. Set up an Amazon RDS proxy for the database. Update the application to use the proxy endpoint.

Answer 25

D. Set up an Amazon RDS proxy for the database. Update the application to use the proxy endpoint.

Explanation:
Amazon RDS proxy allows you to automatically route write request to the healthy writer,
minimizing downtime.

Question 26

QUESTION 625
A company wants to add its existing AWS usage cost to its operation cost dashboard. A solutions
architect needs to recommend a solution that will give the company access to its usage cost
programmatically. The company must be able to access cost data for the current year and
forecast costs for the next 12 months.
Which solution will meet these requirements with the LEAST operational overhead?
A. Access usage cost-related data by using the AWS Cost Explorer API with pagination.
B. Access usage cost-related data by using downloadable AWS Cost Explorer report .csv files.
C. Configure AWS Budgets actions to send usage cost data to the company through FTP.
D. Create AWS Budgets reports for usage cost data. Send the data to the company through SMTP.

Answer 26

A. Access usage cost-related data by using the AWS Cost Explorer API with pagination.

Explanation:
You can view your costs and usage using the Cost Explorer user interface free of charge. You
can also access your data programmatically using the Cost Explorer API. Each paginated API
request incurs a charge of $0.01. You can’t disable Cost Explorer after you enable it.
https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cost-
explorer/interfaces/costexplorerpaginationconfiguration.html

Question 27

QUESTION 624
A company wants to analyze and troubleshoot Access Denied errors and Unauthorized errors
that are related to IAM permissions. The company has AWS CloudTrail turned on.
Which solution will meet these requirements with the LEAST effort?
A. Use AWS Glue and write custom scripts to query CloudTrail logs for the errors.
B. Use AWS Batch and write custom scripts to query CloudTrail logs for the errors.
C. Search CloudTrail logs with Amazon Athena queries to identify the errors.
D. Search CloudTrail logs with Amazon QuickSight. Create a dashboard to identify the errors.

Answer 27

C. Search CloudTrail logs with Amazon Athena queries to identify the errors.

Explanation:
“Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service
activity.”
https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

IAM and CloudTrail https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#stscloudtrailexample-assumerole. Query CloudTrail logs by Athena https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#tips-for-querying-cloudtrail- logs#tips-for-querying-cloudtrail-logs Choose C , not D, because need “analyze and troubleshoot”, not just see on dashboard (in D).

Question 28

QUESTION 623
A company runs a microservice-based serverless web application. The application must be able
to retrieve data from multiple Amazon DynamoDB tables A solutions architect needs to give the
application the ability to retrieve the data with no impact on the baseline performance of the
application.
Which solution will meet these requirements in the MOST operationally efficient way?
A. AWS AppSync pipeline resolvers
B. Amazon CloudFront with Lambda@Edge functions
C. Edge-optimized Amazon API Gateway with AWS Lambda functions
D. Amazon Athena Federated Query with a DynamoDB connector

Answer 28

D. Amazon Athena Federated Query with a DynamoDB connector

The Amazon Athena DynamoDB connector enables Amazon Athena to communicate with
DynamoDB so that you can query your tables with SQL. Write operations like INSERT INTO are
not supported.

Question 29

QUESTION 622
A company runs container applications by using Amazon Elastic Kubernetes Service (Amazon
EKS). The company’s workload is not consistent throughout the day. The company wants
Amazon EKS to scale in and out according to the workload.
Which combination of steps will meet these requirements with the LEAST operational overhead?
(Choose two.)
A. Use an AWS Lambda function to resize the EKS cluster.
B. Use the Kubernetes Metrics Server to activate horizontal pod autoscaling.
C. Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster.
D. Use Amazon API Gateway and connect it to Amazon EKS.
E. Use AWS App Mesh to observe network activity.

Answer 29

B. Use the Kubernetes Metrics Server to activate horizontal pod autoscaling.
C. Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster.

Explanation:
By combining the Kubernetes Cluster Autoscaler (option C) to manage the number of nodes in
the cluster and enabling horizontal pod autoscaling (option B) with the Kubernetes Metrics
Server, you can achieve automatic scaling of your EKS cluster and container applications based
on workload demand. This approach minimizes operational overhead as it leverages built-in
Kubernetes functionality and automation mechanisms.

By combining Kubernetes Cluster Autoscaler (option C) to manage the number of nodes in the cluster and enabling horizontal pod auto-scaling (option B) with Kubernetes Metrics Server, you can achieve auto-scaling of your EKS cluster and container applications in based on workload demand. This approach minimizes operational overhead by leveraging built-in Kubernetes functionality and automation mechanisms. Kubernetes Metrics Server https://docs.aws.amazon.com/eks/latest/userguide/metrics-server.html AWS Autoscaler https://docs.aws.amazon.com/eks/latest/userguide/autoscaling. html and https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md

Question 30

QUESTION 621
A retail company has several businesses. The IT team for each business manages its own AWS
account. Each team account is part of an organization in AWS Organizations. Each team
monitors its product inventory levels in an Amazon DynamoDB table in the team’s own AWS
account.
The company is deploying a central inventory reporting application into a shared AWS account.
The application must be able to read items from all the teams’ DynamoDB tables.
Which authentication option will meet these requirements MOST securely?
A. Integrate DynamoDB with AWS Secrets Manager in the inventory application account. Configure
the application to use the correct secret from Secrets Manager to authenticate and read the
DynamoDB table. Schedule secret rotation for every 30 days.
B. In every business account, create an IAM user that has programmatic access. Configure the
application to use the correct IAM user access key ID and secret access key to authenticate and
read the DynamoDB table. Manually rotate IAM access keys every 30 days.
C. In every business account, create an IAM role named BU_ROLE with a policy that gives the role
access to the DynamoDB table and a trust policy to trust a specific role in the inventory
application account. In the inventory account, create a role named APP_ROLE that allows access
to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume
the crossaccount role BU_ROLE to read the DynamoDB table.
D. Integrate DynamoDB with AWS Certificate Manager (ACM). Generate identity certificates to
authenticate DynamoDB. Configure the application to use the correct certificate to authenticate
and read the DynamoDB table.

Answer 30

C. In every business account, create an IAM role named BU_ROLE with a policy that gives the role
access to the DynamoDB table and a trust policy to trust a specific role in the inventory
application account. In the inventory account, create a role named APP_ROLE that allows access
to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume
the crossaccount role BU_ROLE to read the DynamoDB table.

Explanation:
IAM Roles: IAM roles provide a secure way to grant permissions to entities within AWS. By
creating an IAM role in each business account named BU_ROLE with the necessary permissions
to access the DynamoDB table, the access can be controlled at the IAM role level.
Cross-Account Access: By configuring a trust policy in the BU_ROLE that trusts a specific role in
the inventory application account (APP_ROLE), you establish a trusted relationship between the
two accounts.
Least Privilege: By creating a specific IAM role (BU_ROLE) in each business account and
granting it access only to the required DynamoDB table, you can ensure that each team’s table is
accessed with the least privilege principle.
Security Token Service (STS): The use of STS AssumeRole API operation in the inventory
application account allows the application to assume the cross-account role (BU_ROLE) in each
business account.

Question 31

QUESTION 620
A company is designing a new web application that will run on Amazon EC2 Instances. The
application will use Amazon DynamoDB for backend data storage. The application traffic will be
unpredictable. The company expects that the application read and write throughput to the
database will be moderate to high. The company needs to scale in response to application traffic.
Which DynamoDB table configuration will meet these requirements MOST cost-effectively?
A. Configure DynamoDB with provisioned read and write by using the DynamoDB Standard table
class. Set DynamoDB auto scaling to a maximum defined capacity.
B. Configure DynamoDB in on-demand mode by using the DynamoDB Standard table class.
C. Configure DynamoDB with provisioned read and write by using the DynamoDB Standard
Infrequent Access (DynamoDB Standard-IA) table class. Set DynamoDB auto scaling to a
maximum defined capacity.
D. Configure DynamoDB in on-demand mode by using the DynamoDB Standard Infrequent Access
(DynamoDB Standard-IA) table class.

Answer 31

B. Configure DynamoDB in on-demand mode by using the DynamoDB Standard table class.

Explanation:
On-demand mode: With on-demand mode, DynamoDB automatically scales its capacity to handle application traffic. DynamoDB Standard Table Class: The DynamoDB Standard Table Class provides a balance between cost and performance. Cost Effectiveness: By using on-demand mode, the business only pays for the actual read and write requests made to the table, rather than provisioning and paying for a fixed number of capacity units in advance. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html

https://docs.aws.amazon.com/wellarchitected/latest/serverless-applications-lens/capacity.html “With on-demand capacity mode, DynamoDB charges you for the data reads and writes your application performs on your tables. You do not need to specify how much read and write throughput you expect your application to perform because DynamoDB instantly accommodates your workloads as they ramp up or down.”

Question 32

QUESTION 619
A consulting company provides professional services to customers worldwide. The company
provides solutions and tools for customers to expedite gathering and analyzing data on AWS. The
company needs to centrally manage and deploy a common set of solutions and tools for
customers to use for self-service purposes.
Which solution will meet these requirements?
A. Create AWS CloudFormation templates for the customers.
B. Create AWS Service Catalog products for the customers.
C. Create AWS Systems Manager templates for the customers.
D. Create AWS Config items for the customers.

Answer 32

B. Create AWS Service Catalog products for the customers.

Explanation:
AWS Service Catalog allows you to create and manage catalogs of IT services that can be
deployed within your organization. With Service Catalog, you can define a standardized set of
products (solutions and tools in this case) that customers can self-service provision. By creating
Service Catalog products, you can control and enforce the deployment of approved and validated
solutions and tools.

Question 33

QUESTION 618
An application uses an Amazon RDS MySQL DB instance. The RDS database is becoming low
on disk space. A solutions architect wants to increase the disk space without downtime.
Which solution meets these requirements with the LEAST amount of effort?
A. Enable storage autoscaling in RDS
B. Increase the RDS database instance size
C. Change the RDS database instance storage type to Provisioned IOPS
D. Back up the RDS database, increase the storage capacity, restore the database, and stop the
previous instance

Answer 33

A. Enable storage autoscaling in RDS

Explanation:
Enabling storage autoscaling allows RDS to automatically adjust the storage capacity based on
the application’s needs. When the storage usage exceeds a predefined threshold, RDS will
automatically increase the allocated storage without requiring manual intervention or causing
downtime. This ensures that the RDS database has sufficient disk space to handle the increasing
storage requirements.

Question 34

QUESTION 617
A company wants to send all AWS Systems Manager Session Manager logs to an Amazon S3
bucket for archival purposes.
Which solution will meet this requirement with the MOST operational efficiency?
A. Enable S3 logging in the Systems Manager console. Choose an S3 bucket to send the session
data to.
B. Install the Amazon CloudWatch agent. Push all logs to a CloudWatch log group. Export the logs
to an S3 bucket from the group for archival purposes.
C. Create a Systems Manager document to upload all server logs to a central S3 bucket. Use
Amazon EventBridge to run the Systems Manager document against all servers that are in the
account daily.
D. Install an Amazon CloudWatch agent. Push all logs to a CloudWatch log group. Create a
CloudWatch logs subscription that pushes any incoming log events to an Amazon Kinesis Data
Firehose delivery stream. Set Amazon S3 as the destination.

Answer 34

A. Enable S3 logging in the Systems Manager console. Choose an S3 bucket to send the session
data to.

Explanation:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html

Question 35

QUESTION 616
A company provides an API interface to customers so the customers can retrieve their financial information.The company expects a larger number of requests during peak usage times of the year. The company requires the API to respond consistently with low latency to ensure customer satisfaction. The company needs to provide a compute host for the API.

Which solution will meet these requirements with the LEAST operational overhead?

A. Use an Application Load Balancer and Amazon Elastic Container Service (Amazon ECS).
B. Use Amazon API Gateway and AWS Lambda functions with provisioned concurrency.
C. Use an Application Load Balancer and an Amazon Elastic Kubernetes Service (Amazon EKS)
cluster.
D. Use Amazon API Gateway and AWS Lambda functions with reserved concurrency.

Answer 35

B. Use Amazon API Gateway and AWS Lambda functions with provisioned concurrency.

Explanation:
In the context of the given scenario, where the company wants low latency and consistent
performance for their API during peak usage times, it would be more suitable to use provisioned
concurrency. By allocating a specific number of concurrent executions, the company can ensure
that there are enough function instances available to handle the expected load and minimize the
impact of cold starts. This will result in lower latency and improved performance for the API.

Question 36

QUESTION 615
A company is migrating an on-premises application to AWS. The company wants to use Amazon
Redshift as a solution.

Which use cases are suitable for Amazon Redshift in this scenario? (Choose three.)
A. Supporting data APIs to access data with traditional, containerized, and event-driven applications
B. Supporting client-side and server-side encryption
C. Building analytics workloads during specified hours and when the application is not active
D. Caching data to reduce the pressure on the backend database
E. Scaling globally to support petabytes of data and tens of millions of requests per minute
F. Creating a secondary replica of the cluster by using the AWS Management Console

Answer 36

B. Supporting client-side and server-side encryption
C. Building analytics workloads during specified hours and when the application is not active
E. Scaling globally to support petabytes of data and tens of millions of requests per minute

Explanation:
B. Supporting client-side and server-side encryption: Amazon Redshift supports both client-side
and server-side encryption for improved data security.
C. Building analytics workloads during specified hours and when the application is not active:
Amazon Redshift is optimized for running complex analytic queries against very large datasets,
making it a good choice for this use case.
E. Scaling globally to support petabytes of data and tens of millions of requests per minute:
Amazon Redshift is designed to handle petabytes of data, and to deliver fast query and I/O
performance for virtually any size dataset.

Question 37

QUESTION 614
A company is running a microservices application on Amazon EC2 instances. The company
wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster
for scalability. The company must configure the Amazon EKS control plane with endpoint private
access set to true and endpoint public access set to false to maintain security compliance. The
company must also put the data plane in private subnets. However, the company has received
error notifications because the node cannot join the cluster.
Which solution will allow the node to join the cluster?
A. Grant the required permission in AWS Identity and Access Management (IAM) to the
AmazonEKSNodeRole IAM role.
B. Create interface VPC endpoints to allow nodes to access the control plane.
C. Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
D. Allow outbound traffic in the security group of the nodes.

Answer 37

B. Create interface VPC endpoints to allow nodes to access the control plane.

Explanation:
By creating interface VPC endpoints, you can enable the necessary communication between the
Amazon EKS control plane and the nodes in private subnets. This solution ensures that the
control plane maintains endpoint private access (set to true) and endpoint public access (set to
false) for security compliance.

Question 38

QUESTION 613
A social media company wants to allow its users to upload images in an application that is hosted
in the AWS Cloud. The company needs a solution that automatically resizes the images so that
the images can be displayed on multiple device types. The application experiences unpredictable
traffic patterns throughout the day. The company is seeking a highly available solution that
maximizes scalability.
What should a solutions architect do to meet these requirements?

A. Create a static website hosted in Amazon S3 that invokes AWS Lambda functions to resize the
images and store the images in an Amazon S3 bucket.
B. Create a static website hosted in Amazon CloudFront that invokes AWS Step Functions to resize
the images and store the images in an Amazon RDS database.
C. Create a dynamic website hosted on a web server that runs on an Amazon EC2 instance.
Configure a process that runs on the EC2 instance to resize the images and store the images in
an Amazon S3 bucket.
D. Create a dynamic website hosted on an automatically scaling Amazon Elastic Container Service
(Amazon ECS) cluster that creates a resize job in Amazon Simple Queue Service (Amazon
SQS). Set up an image-resizing program that runs on an Amazon EC2 instance to process the
resize jobs.

Answer 38

A. Create a static website hosted in Amazon S3 that invokes AWS Lambda functions to resize the
images and store the images in an Amazon S3 bucket.

Explanation:
By using Amazon S3 and AWS Lambda together, you can create a serverless architecture that
provides highly scalable and available image resizing capabilities. Here’s how the solution would
work:
Set up an Amazon S3 bucket to store the original images uploaded by users.
Configure an event trigger on the S3 bucket to invoke an AWS Lambda function whenever a new
image is uploaded.
The Lambda function can be designed to retrieve the uploaded image, perform the necessary
resizing operations based on device requirements, and store the resized images back in the S3
bucket or a different bucket designated for resized images.
Configure the Amazon S3 bucket to make the resized images publicly accessible for serving to
users.

Question 39

QUESTION 612
A company uses AWS Organizations with resources tagged by account. The company also uses
AWS Backup to back up its AWS infrastructure resources. The company needs to back up all
AWS resources.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Config to identify all untagged resources. Tag the identified resources
programmatically. Use tags in the backup plan.
B. Use AWS Config to identify all resources that are not running. Add those resources to the backup
vault.
C. Require all AWS account owners to review their resources to identify the resources that need to
be backed up.
D. Use Amazon Inspector to identify all noncompliant resources.

Answer 39

A. Use AWS Config to identify all untagged resources. Tag the identified resources
programmatically. Use tags in the backup plan.

Explanation:
This solution allows you to leverage AWS Config to identify any untagged resources within your
AWS Organizations accounts. Once identified, you can programmatically apply the necessary
tags to indicate the backup requirements for each resource. By using tags in the backup plan
configuration, you can ensure that only the tagged resources are included in the backup process,
reducing operational overhead and ensuring all necessary resources are backed up.

Question 40

QUESTION 611
A company is developing software that uses a PostgreSQL database schema. The company
needs to configure multiple development environments and databases for the company’s
developers. On average, each development environment is used for half of the 8-hour workday.
Which solution will meet these requirements MOST cost-effectively?
A. Configure each development environment with its own Amazon Aurora PostgreSQL database
B. Configure each development environment with its own Amazon RDS for PostgreSQL Single-AZ
DB instances
C. Configure each development environment with its own Amazon Aurora On-Demand PostgreSQL-
Compatible database
D. Configure each development environment with its own Amazon S3 bucket by using Amazon S3
Object Select

Answer 40

C. Configure each development environment with its own Amazon Aurora On-Demand PostgreSQL-
Compatible database

Explanation:
With Aurora Serverless, you create a database, specify the desired database capacity range, and
connect your applications. You pay on a per-second basis for the database capacity that you use
when the database is active, and migrate between standard and serverless configurations with a
few steps in the Amazon Relational Database Service (Amazon RDS) console.

Question 41

QUESTION 610
A global marketing company has applications that run in the ap-southeast-2 Region and the eu-
west-1 Region. Applications that run in a VPC in eu-west-1 need to communicate securely with
databases that run in a VPC in ap-southeast-2.
Which network design will meet these requirements?
A. Create a VPC peering connection between the eu-west-1 VPC and the ap-southeast-2 VPC.
Create an inbound rule in the eu-west-1 application security group that allows traffic from the
database server IP addresses in the ap-southeast-2 security group.
B. Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPC.
Update the subnet route tables. Create an inbound rule in the ap-southeast-2 database security
group that references the security group ID of the application servers in eu-west-1.
C. Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1
VPUpdate the subnet route tables. Create an inbound rule in the ap-southeast-2 database
security group that allows traffic from the eu-west-1 application server IP addresses.
D. Create a transit gateway with a peering attachment between the eu-west-1 VPC and the ap-
southeast-2 VPC. After the transit gateways are properly peered and routing is configured, create
an inbound rule in the database security group that references the security group ID of the
application servers in eu-west-1.

Answer 41

C. Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1
VPUpdate the subnet route tables. Create an inbound rule in the ap-southeast-2 database
security group that allows traffic from the eu-west-1 application server IP addresses.

Explanation:
You cannot reference the security group of a peer VPC that’s in a different Region. Instead, use
the CIDR block of the peer VPC.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

Question 42

QUESTION 609
A company operates a two-tier application for image processing. The application uses two
Availability Zones, each with one public subnet and one private subnet. An Application Load
Balancer (ALB) for the web tier uses the public subnets. Amazon EC2 instances for the
application tier use the private subnets.
Users report that the application is running more slowly than expected. A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small
number of IP addresses. A solutions architect needs to resolve the immediate performance
problem while the company investigates a more permanent solution.
What should the solutions architect recommend to meet this requirement?
A. Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are
consuming resources.
B. Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses
that are consuming resources.
C. Modify the inbound security group for the application tier. Add a deny rule for the IP addresses
that are consuming resources.
D. Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP
addresses that are consuming resources.

Answer 42

B. Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses
that are consuming resources.

Explanation:
In this scenario, the security audit reveals that the application is receiving millions of illegitimate
requests from a small number of IP addresses. To address this issue, it is recommended to
modify the network ACL (Access Control List) for the web tier subnets.
By adding an inbound deny rule specifically targeting the IP addresses that are consuming
resources, the network ACL can block the illegitimate traffic at the subnet level before it reaches
the web servers. This will help alleviate the excessive load on the web tier and improve the
application’s performance.

Question 43

QUESTION 608
A company has migrated multiple Microsoft Windows Server workloads to Amazon EC2
instances that run in the us-west-1 Region. The company manually backs up the workloads to
create an image as needed.
In the event of a natural disaster in the us-west-1 Region, the company wants to recover
workloads quickly in the us-west-2 Region. The company wants no more than 24 hours of data
loss on the EC2 instances. The company also wants to automate any backups of the EC2
instances.
Which solutions will meet these requirements with the LEAST administrative effort? (Choose
two.)
A. Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup
based on tags. Schedule the backup to run twice daily. Copy the image on demand.
B. Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup
based on tags. Schedule the backup to run twice daily. Configure the copy to the us-west-2
Region.
C. Create backup vaults in us-west-1 and in us-west-2 by using AWS Backup. Create a backup plan
for the EC2 instances based on tag values. Create an AWS Lambda function to run as a
scheduled job to copy the backup data to us-west-2.
D. Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the
EC2 instances based on tag values. Define the destination for the copy as us-west-2. Specify the
backup schedule to run twice daily.
E. Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the
EC2 instances based on tag values. Specify the backup schedule to run twice daily. Copy on
demand to us-west-2.

Answer 43

B. Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup
based on tags. Schedule the backup to run twice daily. Configure the copy to the us-west-2
Region.
D. Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the
EC2 instances based on tag values. Define the destination for the copy as us-west-2. Specify the
backup schedule to run twice daily.

Explanation:
Solutions are both automated and require no manual intervention to create or copy backups。

Question 44

QUESTION 607
A company has a web application for travel ticketing. The application is based on a database that
runs in a single data center in North America. The company wants to expand the application to
serve a global user base. The company needs to deploy the application to multiple AWS Regions.
Average latency must be less than 1 second on updates to the reservation database.
The company wants to have separate deployments of its web platform across multiple Regions.
However, the company must maintain a single primary reservation database that is globally
consistent.
Which solution should a solutions architect recommend to meet these requirements?
A. Convert the application to use Amazon DynamoDB. Use a global table for the center reservation
table. Use the correct Regional endpoint in each Regional deployment.
B. Migrate the database to an Amazon Aurora MySQL database. Deploy Aurora Read Replicas in
each Region. Use the correct Regional endpoint in each Regional deployment for access to the
database.
C. Migrate the database to an Amazon RDS for MySQL database. Deploy MySQL read replicas in each Region. Use the correct Regional endpoint in each Regional deployment for access to the
database.
D. Migrate the application to an Amazon Aurora Serverless database. Deploy instances of the
database to each Region. Use the correct Regional endpoint in each Regional deployment to
access the database. Use AWS Lambda functions to process event streams in each Region to
synchronize the databases.

Answer 44

A. Convert the application to use Amazon DynamoDB. Use a global table for the center reservation
table. Use the correct Regional endpoint in each Regional deployment.

Explanation:
Using DynamoDB’s global tables feature, you can achieve a globally consistent reservation
database with low latency on updates, making it suitable for serving a global user base. The
automatic replication provided by DynamoDB eliminates the need for manual synchronization
between Regions.

Question 45

QUESTION 606
A social media company is building a feature for its website. The feature will give users the ability
to upload photos. The company expects significant increases in demand during large events and
must ensure that the website can handle the upload traffic from users.
Which solution meets these requirements with the MOST scalability?
A. Upload files from the user’s browser to the application servers. Transfer the files to an Amazon S3
bucket.
B. Provision an AWS Storage Gateway file gateway. Upload files directly from the user’s browser to
the file gateway.
C. Generate Amazon S3 presigned URLs in the application. Upload files directly from the user’s
browser into an S3 bucket.
D. Provision an Amazon Elastic File System (Amazon EFS) file system. Upload files directly from the
user’s browser to the file system.

Answer 45

C. Generate Amazon S3 presigned URLs in the application. Upload files directly from the user’s
browser into an S3 bucket.

Explanation:
This approach allows users to upload files directly to S3 without passing through the application
servers, reducing the load on the application and improving scalability. It leverages the client-side
capabilities to handle the file uploads and offloads the processing to S3.

Question 46

QUESTION 605
A company has Amazon EC2 instances that run nightly batch jobs to process data. The EC2
instances run in an Auto Scaling group that uses On-Demand billing. If a job fails on one
instance, another instance will reprocess the job. The batch jobs run between 12:00 AM and
06:00 AM local time every day.
Which solution will provide EC2 instances to meet these requirements MOST cost-effectively?
A. Purchase a 1-year Savings Plan for Amazon EC2 that covers the instance family of the Auto
Scaling group that the batch job uses.
B. Purchase a 1-year Reserved Instance for the specific instance type and operating system of the
instances in the Auto Scaling group that the batch job uses.
C. Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances.
Set a policy to scale out based on CPU usage.
D. Create a new launch template for the Auto Scaling group. Increase the instance size. Set a policy
to scale out based on CPU usage.

Answer 46

C. Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances.
Set a policy to scale out based on CPU usage.

Explanation:
Purchasing a 1-year Savings Plan (option A) or a 1-year Reserved Instance (option B) may
provide cost savings, but they are more suitable for long-running, steady-state workloads. Since
your batch jobs run for a specific period each day, using Spot Instances with the ability to scale
out based on CPU usage is a more cost-effective choice.

Question 47

QUESTION 604
A company needs to connect several VPCs in the us-east-1 Region that span hundreds of AWS
accounts. The company’s networking team has its own AWS account to manage the cloud
network.
What is the MOST operationally efficient solution to connect the VPCs?
A. Set up VPC peering connections between each VPC. Update each associated subnet’s route
table
B. Configure a NAT gateway and an internet gateway in each VPC to connect each VPC through the
internet
C. Create an AWS Transit Gateway in the networking team’s AWS account. Configure static routes
from each VPC.
D. Deploy VPN gateways in each VPC. Create a transit VPC in the networking team’s AWS account
to connect to each VPC.

Answer 47

C. Create an AWS Transit Gateway in the networking team’s AWS account. Configure static routes
from each VPC.

Explanation:
WS Transit Gateway is a highly scalable and centralized hub for connecting multiple VPCs, on-
premises networks, and remote networks. It simplifies network connectivity by providing a single
entry point and reducing the number of connections required. In this scenario, deploying an AWS
Transit Gateway in the networking team’s AWS account allows for efficient management and
control over the network connectivity across multiple VPCs.

Question 48

QUESTION 603
A company runs an infrastructure monitoring service. The company is building a new feature that
will enable the service to monitor data in customer AWS accounts. The new feature will call AWS
APIs in customer accounts to describe Amazon EC2 instances and read Amazon CloudWatch
metrics.
What should the company do to obtain access to customer accounts in the MOST secure way?
A. Ensure that the customers create an IAM role in their account with read-only EC2 and
CloudWatch permissions and a trust policy to the company’s account.
B. Create a serverless API that implements a token vending machine to provide temporary AWS
credentials for a role with read-only EC2 and CloudWatch permissions.
C. Ensure that the customers create an IAM user in their account with read-only EC2 and
CloudWatch permissions. Encrypt and store customer access and secret keys in a secrets
management system.
D. Ensure that the customers create an Amazon Cognito user in their account to use an IAM role
with read-only EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user
and password in a secrets management system.

Answer 48

A. Ensure that the customers create an IAM role in their account with read-only EC2 and
CloudWatch permissions and a trust policy to the company’s account.

Explanation:
By having customers create an IAM role with the necessary permissions in their own accounts,
the company can use AWS Identity and Access Management (IAM) to establish cross-account
access. The trust policy allows the company’s AWS account to assume the customer’s IAM role
temporarily, granting access to the specified resources (EC2 instances and CloudWatch metrics)
within the customer’s account. This approach follows the principle of least privilege, as the
company only requests the necessary permissions and does not require long-term access keys
or user credentials from the customers.

Question 49

QUESTION 602
A company runs a website that uses a content management system (CMS) on Amazon EC2. The
CMS runs on a single EC2 instance and uses an Amazon Aurora MySQL Multi-AZ DB instance
for the data tier. Website images are stored on an Amazon Elastic Block Store (Amazon EBS)
volume that is mounted inside the EC2 instance.
Which combination of actions should a solutions architect take to improve the performance and
resilience of the website? (Choose two.)
A. Move the website images into an Amazon S3 bucket that is mounted on every EC2 instance
B. Share the website images by using an NFS share from the primary EC2 instance. Mount this
share on the other EC2 instances.
C. Move the website images onto an Amazon Elastic File System (Amazon EFS) file system that is
mounted on every EC2 instance.
D. Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to
provision new instances behind an Application Load Balancer as part of an Auto Scaling group.
Configure the Auto Scaling group to maintain a minimum of two instances. Configure an
accelerator in AWS Global Accelerator for the website
E. Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to
provision new instances behind an Application Load Balancer as part of an Auto Scaling group.
Configure the Auto Scaling group to maintain a minimum of two instances. Configure an Amazon
CloudFront distribution for the website.

Answer 49

C. Move the website images onto an Amazon Elastic File System (Amazon EFS) file system that is
mounted on every EC2 instance.
E. Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to
provision new instances behind an Application Load Balancer as part of an Auto Scaling group.
Configure the Auto Scaling group to maintain a minimum of two instances. Configure an Amazon
CloudFront distribution for the website.

Explanation:
By combining the use of Amazon EFS for shared file storage and Amazon CloudFront for content
delivery, you can achieve improved performance and resilience for the website.

Question 50

QUESTION 601
A company wants to ingest customer payment data into the company’s data lake in Amazon S3.
The company receives payment data every minute on average. The company wants to analyze
the payment data in real time. Then the company wants to ingest the data into the data lake.
Which solution will meet these requirements with the MOST operational efficiency?
A. Use Amazon Kinesis Data Streams to ingest data. Use AWS Lambda to analyze the data in real
time.
B. Use AWS Glue to ingest data. Use Amazon Kinesis Data Analytics to analyze the data in real
time.
C. Use Amazon Kinesis Data Firehose to ingest data. Use Amazon Kinesis Data Analytics to
analyze the data in real time.
D. Use Amazon API Gateway to ingest data. Use AWS Lambda to analyze the data in real time.

Answer 50

C. Use Amazon Kinesis Data Firehose to ingest data. Use Amazon Kinesis Data Analytics to
analyze the data in real time.

Explanation:
By leveraging the combination of Amazon Kinesis Data Firehose and Amazon Kinesis Data
Analytics, you can efficiently ingest and analyze the payment data in real time without the need
for manual processing or additional infrastructure management. This solution provides a
streamlined and scalable approach to handle continuous data ingestion and analysis
requirements.