SAA L2P 801-897 v24.021

Question 1

QUESTION 897
A social media company is creating a rewards program website for its users. The company gives
users points when users create and upload videos to the website. Users redeem their points for
gifts or discounts from the company’s affiliated partners. A unique ID identifies users. The
partners refer to this ID to verify user eligibility for rewards.
The partners want to receive notification of user IDs through an HTTP endpoint when the
company gives users points. Hundreds of vendors are interested in becoming affiliated partners
every day. The company wants to design an architecture that gives the website the ability to add
partners rapidly in a scalable way.
Which solution will meet these requirements with the LEAST implementation effort?
A. Create an Amazon Timestream database to keep a list of affiliated partners. Implement an AWS
Lambda function to read the list. Configure the Lambda function to send user IDs to each partner
when the company gives users points.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Choose an endpoint protocol.
Subscribe the partners to the topic. Publish user IDs to the topic when the company gives users
points.
C. Create an AWS Step Functions state machine. Create a task for every affiliated partner. Invoke the
state machine with user IDs as input when the company gives users points.
D. Create a data stream in Amazon Kinesis Data Streams. Implement producer and consumer
applications. Store a list of affiliated partners in the data stream. Send user IDs when the company
gives users points.

Answer 1

B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Choose an endpoint protocol.
Subscribe the partners to the topic. Publish user IDs to the topic when the company gives users
points.

Question 2

QUESTION 896
A company uses AWS to run its ecommerce platform. The platform is critical to the company’s
operations and has a high volume of traffic and transactions. The company configures a multi-
factor authentication (MFA) device to secure its AWS account root user credentials. The company
wants to ensure that it will not lose access to the root user account if the MFA device is lost.
Which solution will meet these requirements?
A. Set up a backup administrator account that the company can use to log in if the company loses the
MFA device.
B. Add multiple MFA devices for the root user account to handle the disaster scenario.
C. Create a new administrator account when the company cannot access the root account.
D. Attach the administrator policy to another IAM user when the company cannot access the root
account.

Answer 2

B. Add multiple MFA devices for the root user account to handle the disaster scenario.

Question 3

QUESTION 895
A company needs a solution to prevent photos with unwanted content from being uploaded to the
company’s web application. The solution must not involve training a machine learning (ML)
model.
Which solution will meet these requirements?
A. Create and deploy a model by using Amazon SageMaker Autopilot. Create a real-time endpoint
that the web application invokes when new photos are uploaded.
B. Create an AWS Lambda function that uses Amazon Rekognition to detect unwanted content.
Create a Lambda function URL that the web application invokes when new photos are uploaded.
C. Create an Amazon CloudFront function that uses Amazon Comprehend to detect unwanted
content. Associate the function with the web application.
D. Create an AWS Lambda function that uses Amazon Rekognition Video to detect unwanted
content. Create a Lambda function URL that the web application invokes when new photos are
uploaded.

Answer 3

B. Create an AWS Lambda function that uses Amazon Rekognition to detect unwanted content.
Create a Lambda function URL that the web application invokes when new photos are uploaded.

Question 4

QUESTION 894
A company is designing a tightly coupled high performance computing (HPC) environment in the
AWS Cloud. The company needs to include features that will optimize the HPC environment for
networking and storage.
Which combination of solutions will meet these requirements? (Choose two.)
A. Create an accelerator in AWS Global Accelerator. Configure custom routing for the accelerator.
B. Create an Amazon FSx for Lustre file system. Configure the file system with scratch storage.
C. Create an Amazon CloudFront distribution. Configure the viewer protocol policy to be HTTP and
HTTPS.
D. Launch Amazon EC2 instances. Attach an Elastic Fabric Adapter (EFA) to the instances.
E. Create an AWS Elastic Beanstalk deployment to manage the environment.

Answer 4

B. Create an Amazon FSx for Lustre file system. Configure the file system with scratch storage.

D. Launch Amazon EC2 instances. Attach an Elastic Fabric Adapter (EFA) to the instances.

Question 5

QUESTION 893
A company wants to analyze and generate reports to track the usage of its mobile app. The app
is popular and has a global user base. The company uses a custom report building program to
analyze application usage.
The program generates multiple reports during the last week of each month. The program takes
less than 10 minutes to produce each report. The company rarely uses the program to generate
reports outside of the last week of each month The company wants to generate reports in the
least amount of time when the reports are requested.
Which solution will meet these requirements MOST cost-effectively?
A. Run the program by using Amazon EC2 On-Demand Instances. Create an Amazon EventBridge
rule to start the EC2 instances when reports are requested. Run the EC2 instances continuously
during the last week of each month.
B. Run the program in AWS Lambda. Create an Amazon EventBridge rule to run a Lambda function
when reports are requested.
C. Run the program in Amazon Elastic Container Service (Amazon ECS). Schedule Amazon ECS to
run the program when reports are requested.
D. Run the program by using Amazon EC2 Spot Instances. Create an Amazon EventBndge rule to
start the EC2 instances when reports are requested. Run the EC2 instances continuously during
the last week of each month.

Answer 5

B. Run the program in AWS Lambda. Create an Amazon EventBridge rule to run a Lambda function
when reports are requested.

Question 6

QUESTION 892
A company has a mobile app for customers. The app’s data is sensitive and must be encrypted at
rest. The company uses AWS Key Management Service (AWS KMS).
The company needs a solution that prevents the accidental deletion of KMS keys. The solution
must use Amazon Simple Notification Service (Amazon SNS) to send an email notification to
administrators when a user attempts to delete a KMS key.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an Amazon EventBridge rule that reacts when a user tries to delete a KMS key. Configure
an AWS Config rule that cancels any deletion of a KMS key. Add the AWS Config rule as a target
of the EventBridge rule. Create an SNS topic that notifies the administrators.
B. Create an AWS Lambda function that has custom logic to prevent KMS key deletion. Create an
Amazon CloudWatch alarm that is activated when a user tries to delete a KMS key. Create an
Amazon EventBridge rule that invokes the Lambda function when the DeleteKey operation is
performed. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that
notifies the administrators.
C. Create an Amazon EventBridge rule that reacts when the KMS DeleteKey operation is performed.
Configure the rule to initiate an AWS Systems Manager Automation runbook. Configure the runbook to cancel the deletion of the KMS key. Create an SNS topic. Configure the EventBridge
rule to publish an SNS message that notifies the administrators.
D. Create an AWS CloudTrail trail. Configure the trail to deliver logs to a new Amazon CloudWatch
log group. Create a CloudWatch alarm based on the metric filter for the CloudWatch log group.
Configure the alarm to use Amazon SNS to notify the administrators when the KMS DeleteKey
operation is performed.

Answer 6

C. Create an Amazon EventBridge rule that reacts when the KMS DeleteKey operation is performed.
Configure the rule to initiate an AWS Systems Manager Automation runbook. Configure the runbook to cancel the deletion of the KMS key. Create an SNS topic. Configure the EventBridge
rule to publish an SNS message that notifies the administrators.

Question 7

QUESTION 891
An analytics company uses Amazon VPC to run its multi-tier services. The company wants to use
RESTful APIs to offer a web analytics service to millions of users. Users must be verified by using
an authentication service to access the APIs.
Which solution will meet these requirements with the MOST operational efficiency?
A. Configure an Amazon Cognito user pool for user authentication. Implement Amazon API Gateway
REST APIs with a Cognito authorizer.
B. Configure an Amazon Cognito identity pool for user authentication. Implement Amazon API
Gateway HTTP APIs with a Cognito authorizer.
C. Configure an AWS Lambda function to handle user authentication. Implement Amazon API
Gateway REST APIs with a Lambda authorizer.
D. Configure an IAM user to handle user authentication. Implement Amazon API Gateway HTTP APIs
with an IAM authorizer.

Answer 7

A. Configure an Amazon Cognito user pool for user authentication. Implement Amazon API Gateway
REST APIs with a Cognito authorizer.

Question 8

QUESTION 890
A company has AWS Lambda functions that use environment variables. The company does not want its developers to see environment variables in plaintext.
Which solution will meet these requirements?
A. Deploy code to Amazon EC2 instances instead of using Lambda functions.
B. Configure SSL encryption on the Lambda functions to use AWS CloudHSM to store and encrypt
the environment variables.
C. Create a certificate in AWS Certificate Manager (ACM). Configure the Lambda functions to use the
certificate to encrypt the environment variables.
D. Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the
Lambda functions to use the KMS key to store and encrypt the environment variables.

Answer 8

D. Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the
Lambda functions to use the KMS key to store and encrypt the environment variables.

Question 9

QUESTION 889
A company’s web application that is hosted in the AWS Cloud recently increased in popularity.
The web application currently exists on a single Amazon EC2 instance in a single public subnet.
The web application has not been able to meet the demand of the increased web traffic.
The company needs a solution that will provide high availability and scalability to meet the
increased user demand without rewriting the web application.
Which combination of steps will meet these requirements? (Choose two.)
A. Replace the EC2 instance with a larger compute optimized instance.
B. Configure Amazon EC2 Auto Scaling with multiple Availability Zones in private subnets.
C. Configure a NAT gateway in a public subnet to handle web requests.
D. Replace the EC2 instance with a larger memory optimized instance.
E. Configure an Application Load Balancer in a public subnet to distribute web traffic.

Answer 9

B. Configure Amazon EC2 Auto Scaling with multiple Availability Zones in private subnets.

E. Configure an Application Load Balancer in a public subnet to distribute web traffic.

Question 10

QUESTION 888
A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS
Identity and Access Management (IAM) resources that include an inline policy or “” in the
statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP
addresses. The company has AWS Control Tower enabled in its organization in AWS
Organizations.
Which solution will meet these requirements?
A. Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP
addresses and inline policies with elevated access or “”.
B. Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP
addresses and inline policies with elevated access or “*”.
C. Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS
Systems Manager Session Manager automation to delete a resource when it is not compliant.
D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the
actions lead to noncompliance.

Answer 10

D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the
actions lead to noncompliance.

Question 11

QUESTION 887
A company has stored 10 TB of log files in Apache Parquet format in an Amazon S3 bucket. The
company occasionally needs to use SQL to analyze the log files.
Which solution will meet these requirements MOST cost-effectively?
A. Create an Amazon Aurora MySQL database. Migrate the data from the S3 bucket into Aurora by using AWS Database Migration Service (AWS DMS). Issue SQL statements to the Aurora
database.
B. Create an Amazon Redshift cluster. Use Redshift Spectrum to run SQL statements directly on the
data in the S3 bucket.
C. Create an AWS Glue crawler to store and retrieve table metadata from the S3 bucket. Use
Amazon Athena to run SQL statements directly on the data in the S3 bucket.
D. Create an Amazon EMR cluster. Use Apache Spark SQL to run SQL statements directly on the
data in the S3 bucket.

Answer 11

C. Create an AWS Glue crawler to store and retrieve table metadata from the S3 bucket. Use
Amazon Athena to run SQL statements directly on the data in the S3 bucket.

Question 12

QUESTION 886
A company has an organization in AWS Organizations that has all features enabled. The
company requires that all API calls and logins in any existing or new AWS account must be
audited. The company needs a managed solution to prevent additional work and to minimize
costs. The company also needs to know when any AWS account is not compliant with the AWS
Foundational Security Best Practices (FSBP) standard.
Which solution will meet these requirements with the LEAST operational overhead?
A. Deploy an AWS Control Tower environment in the Organizations management account. Enable
AWS Security Hub and AWS Control Tower Account Factory in the environment.
B. Deploy an AWS Control Tower environment in a dedicated Organizations member account.
Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.
C. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ).
Submit an RFC to self-service provision Amazon GuardDuty in the MALZ.
D. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ).
Submit an RFC to self-service provision AWS Security Hub in the MALZ.

Answer 12

A. Deploy an AWS Control Tower environment in the Organizations management account. Enable
AWS Security Hub and AWS Control Tower Account Factory in the environment.

Question 13

QUESTION 885
A company runs multiple workloads in its on-premises data center. The company’s data center
cannot scale fast enough to meet the company’s expanding business needs. The company wants
to collect usage and configuration data about the on-premises servers and workloads to plan a
migration to AWS.
Which solution will meet these requirements?
A. Set the home AWS Region in AWS Migration Hub. Use AWS Systems Manager to collect data
about the on-premises servers.
B. Set the home AWS Region in AWS Migration Hub. Use AWS Application Discovery Service to
collect data about the on-premises servers.
C. Use the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates. Use AWS
Trusted Advisor to collect data about the on-premises servers.
D. Use the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates. Use AWS
Database Migration Service (AWS DMS) to collect data about the on-premises servers.

Answer 13

B. Set the home AWS Region in AWS Migration Hub. Use AWS Application Discovery Service to
collect data about the on-premises servers.

Question 14

QUESTION 884
A solutions architect is designing a payment processing application that runs on AWS Lambda in
private subnets across multiple Availability Zones. The application uses multiple Lambda
functions and processes millions of transactions each day.
The architecture must ensure that the application does not process duplicate payments.
Which solution will meet these requirements?
A. Use Lambda to retrieve all due payments. Publish the due payments to an Amazon S3 bucket.
Configure the S3 bucket with an event notification to invoke another Lambda function to process
the due payments.
B. Use Lambda to retrieve all due payments. Publish the due payments to an Amazon Simple Queue
Service (Amazon SQS) queue. Configure another Lambda function to poll the SQS queue and to
process the due payments.
C. Use Lambda to retrieve all due payments. Publish the due payments to an Amazon Simple Queue
Service (Amazon SQS) FIFO queue. Configure another Lambda function to poll the FIFO queue
and to process the due payments.
D. Use Lambda to retrieve all due payments. Store the due payments in an Amazon DynamoDB table. Configure streams on the DynamoDB table to invoke another Lambda function to process
the due payments.

Answer 14

D. Use Lambda to retrieve all due payments. Store the due payments in an Amazon DynamoDB table. Configure streams on the DynamoDB table to invoke another Lambda function to process
the due payments.

Question 15

QUESTION 883
A company’s marketing data is uploaded from multiple sources to an Amazon S3 bucket. A series
of data preparation jobs aggregate the data for reporting. The data preparation jobs need to run
at regular intervals in parallel. A few jobs need to run in a specific order later.
The company wants to remove the operational overhead of job error handling, retry logic, and
state management.
Which solution will meet these requirements?
A. Use an AWS Lambda function to process the data as soon as the data is uploaded to the S3
bucket. Invoke other Lambda functions at regularly scheduled intervals.
B. Use Amazon Athena to process the data. Use Amazon EventBridge Scheduler to invoke Athena
on a regular internal.
C. Use AWS Glue DataBrew to process the data. Use an AWS Step Functions state machine to run
the DataBrew data preparation jobs.
D. Use AWS Data Pipeline to process the data. Schedule Data Pipeline to process the data once at
midnight.

Answer 15

C. Use AWS Glue DataBrew to process the data. Use an AWS Step Functions state machine to run
the DataBrew data preparation jobs.

Question 16

QUESTION 882
A company maintains its accounting records in a custom application that runs on Amazon EC2
instances. The company needs to migrate the data to an AWS managed service for development
and maintenance of the application data. The solution must require minimal operational support and provide immutable, cryptographically verifiable logs of data changes.
Which solution will meet these requirements MOST cost-effectively?
A. Copy the records from the application into an Amazon Redshift cluster.
B. Copy the records from the application into an Amazon Neptune cluster.
C. Copy the records from the application into an Amazon Timestream database.
D. Copy the records from the application into an Amazon Quantum Ledger Database (Amazon
QLDB) ledger.

Answer 16

D. Copy the records from the application into an Amazon Quantum Ledger Database (Amazon
QLDB) ledger.

Question 17

QUESTION 881
A company wants to deploy an internal web application on AWS. The web application must be
accessible only from the company’s office. The company needs to download security patches for
the web application from the internet.
The company has created a VPC and has configured an AWS Site-to-Site VPN connection to the
company’s office. A solutions architect must design a secure architecture for the web application.
Which solution will meet these requirements?
A. Deploy the web application on Amazon EC2 instances in public subnets behind a public
Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the inbound source
of the ALB’s security group to 0.0.0.0/0.
B. Deploy the web application on Amazon EC2 instances in private subnets behind an internal
Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet
gateway to the VPC. Set the inbound source of the ALB’s security group to the company’s office
network CIDR block.
C. Deploy the web application on Amazon EC2 instances in public subnets behind an internal
Application Load Balancer (ALB). Deploy NAT gateways in private subnets. Attach an internet
gateway to the VPSet the outbound destination of the ALB’s security group to the company’s office
network CIDR block.
D. Deploy the web application on Amazon EC2 instances in private subnets behind a public
Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the outbound
destination of the ALB’s security group to 0.0.0.0/0.

Answer 17

B. Deploy the web application on Amazon EC2 instances in private subnets behind an internal
Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet
gateway to the VPC. Set the inbound source of the ALB’s security group to the company’s office
network CIDR block.

Question 18

QUESTION 880
A company wants to run its experimental workloads in the AWS Cloud. The company has a
budget for cloud spending. The company’s CFO is concerned about cloud spending
accountability for each department. The CFO wants to receive notification when the spending
threshold reaches 60% of the budget.
Which solution will meet these requirements?
A. Use cost allocation tags on AWS resources to label owners. Create usage budgets in AWS
Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget.
B. Use AWS Cost Explorer forecasts to determine resource owners. Use AWS Cost Anomaly
Detection to create alert threshold notifications when spending exceeds 60% of the budget.
C. Use cost allocation tags on AWS resources to label owners. Use AWS Support API on AWS
Trusted Advisor to create alert threshold notifications when spending exceeds 60% of the budget.
D. Use AWS Cost Explorer forecasts to determine resource owners. Create usage budgets in AWS
Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget.

Answer 18

A. Use cost allocation tags on AWS resources to label owners. Create usage budgets in AWS
Budgets. Add an alert threshold to receive notification when spending exceeds 60% of the budget.

Question 19

QUESTION 879
A company has hired an external vendor to perform work in the company’s AWS account. The
vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The
vendor does not have IAM access to the company’s AWS account. The company needs to grant
the vendor access to the company’s AWS account.
Which solution will meet these requirements MOST securely?
A. Create an IAM role in the company’s account to delegate access to the vendor’s IAM role. Attach
the appropriate IAM policies to the role for the permissions that the vendor requires.
B. Create an IAM user in the company’s account with a password that meets the password
complexity requirements. Attach the appropriate IAM policies to the user for the permissions that
the vendor requires.
C. Create an IAM group in the company’s account. Add the automated tool’s IAM user from the
vendor account to the group. Attach the appropriate IAM policies to the group for the permissions
that the vendor requires.
D. Create an IAM user in the company’s account that has a permission boundary that allows the
vendor’s account. Attach the appropriate IAM policies to the user for the permissions that the
vendor requires.

Answer 19

A. Create an IAM role in the company’s account to delegate access to the vendor’s IAM role. Attach
the appropriate IAM policies to the role for the permissions that the vendor requires.

Question 20

QUESTION 878
A company has an Amazon Elastic File System (Amazon EFS) file system that contains a
reference dataset. The company has applications on Amazon EC2 instances that need to read
the dataset. However, the applications must not be able to change the dataset. The company
wants to use IAM access control to prevent the applications from being able to modify or delete
the dataset.
Which solution will meet these requirements?
A. Mount the EFS file system in read-only mode from within the EC2 instances.
B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action
to the IAM roles that are attached to the EC2 instances.
C. Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action
on the EFS file system.
D. Create an EFS access point for each application. Use Portable Operating System Interface
(POSIX) file permissions to allow read-only access to files in the root directory.

Answer 20

B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action
to the IAM roles that are attached to the EC2 instances.

Question 21

QUESTION 877
A data analytics company has 80 offices that are distributed globally. Each office hosts 1 PB of
data and has between 1 and 2 Gbps of internet bandwidth.
The company needs to perform a one-time migration of a large amount of data from its offices to Amazon S3. The company must complete the migration within 4 weeks.
Which solution will meet these requirements MOST cost-effectively?
A. Establish a new 10 Gbps AWS Direct Connect connection to each office. Transfer the data to
Amazon S3.
B. Use multiple AWS Snowball Edge storage-optimized devices to store and transfer the data to
Amazon S3.
C. Use an AWS Snowmobile to store and transfer the data to Amazon S3.
D. Set up an AWS Storage Gateway Volume Gateway to transfer the data to Amazon S3.

Answer 21

B. Use multiple AWS Snowball Edge storage-optimized devices to store and transfer the data to
Amazon S3.

Question 22

QUESTION 876
A company uses AWS Organizations for its multi-account AWS setup. The security organizational
unit (OU) of the company needs to share approved Amazon Machine Images (AMIs) with the
development OU. The AMIs are created by using AWS Key Management Service (AWS KMS)
encrypted snapshots.
Which solution will meet these requirements? (Choose two.)
A. Add the development team’s OU Amazon Resource Name (ARN) to the launch permission list for
the AMIs.
B. Add the Organizations root Amazon Resource Name (ARN) to the launch permission list for the
AMIs.
C. Update the key policy to allow the development team’s OU to use the AWS KMS keys that are
used to decrypt the snapshots.
D. Add the development team’s account Amazon Resource Name (ARN) to the launch permission list
for the AMIs.
E. Recreate the AWS KMS key. Add a key policy to allow the Organizations root Amazon Resource
Name (ARN) to use the AWS KMS key.

Answer 22

A. Add the development team’s OU Amazon Resource Name (ARN) to the launch permission list for
the AMIs.

C. Update the key policy to allow the development team’s OU to use the AWS KMS keys that are
used to decrypt the snapshots.

Question 23

QUESTION 875
A company has a mobile game that reads most of its metadata from an Amazon RDS DB
instance. As the game increased in popularity, developers noticed slowdowns related to the
game’s metadata load times. Performance metrics indicate that simply scaling the database will
not help. A solutions architect must explore all options that include capabilities for snapshots,
replication, and sub-millisecond response times.
What should the solutions architect recommend to solve these issues?
A. Migrate the database to Amazon Aurora with Aurora Replicas.
B. Migrate the database to Amazon DynamoDB with global tables.
C. Add an Amazon ElastiCache for Redis layer in front of the database.
D. Add an Amazon ElastiCache for Memcached layer in front of the database.

Answer 23

C. Add an Amazon ElastiCache for Redis layer in front of the database.

Question 24

QUESTION 874
Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 worker nodes.
A company has deployed an application in an AWS account. The application consists of
microservices that run on AWS Lambda and Amazon Elastic Kubernetes Service (Amazon EKS).
A separate team supports each microservice. The company has multiple AWS accounts and
wants to give each team its own account for its microservices.
A solutions architect needs to design a solution that will provide service-to-service communication
over HTTPS (port 443). The solution also must provide a service registry for service discovery.
Which solution will meet these requirements with the LEAST administrative overhead?
A. Create an inspection VPC. Deploy an AWS Network Firewall firewall to the inspection VPC. Attach
the inspection VPC to a new transit gateway. Route VPC-to-VPC traffic to the inspection VPC.
Apply firewall rules to allow only HTTPS communication.
B. Create a VPC Lattice service network. Associate the microservices with the service network.
Define HTTPS listeners for each service. Register microservice compute resources as targets.
Identify VPCs that need to communicate with the services. Associate those VPCs with the service
network.
C. Create a Network Load Balancer (NLB) with an HTTPS listener and target groups for each
microservice. Create an AWS PrivateLink endpoint service for each microservice. Create an
interface VPC endpoint in each VPC that needs to consume that microservice.
D. Create peering connections between VPCs that contain microservices. Create a prefix list for each
service that requires a connection to a client. Create route tables to route traffic to the appropriate
VPC. Create security groups to allow only HTTPS communication.

Answer 24

B. Create a VPC Lattice service network. Associate the microservices with the service network.
Define HTTPS listeners for each service. Register microservice compute resources as targets.
Identify VPCs that need to communicate with the services. Associate those VPCs with the service
network.

Question 25

QUESTION 873
A solutions architect must provide an automated solution for a company’s compliance policy that
states security groups cannot include a rule that allows SSH from 0.0.0.0/0. The company needs
to be notified if there is any breach in the policy. A solution is needed as soon as possible.
What should the solutions architect do to meet these requirements with the LEAST operational
overhead?
A. Write an AWS Lambda script that monitors security groups for SSH being open to 0.0.0.0/0
addresses and creates a notification every time it finds one.
B. Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification
Service (Amazon SNS) notification when a noncompliant rule is created.
C. Create an IAM role with permissions to globally open security groups and network ACLs. Create
an Amazon Simple Notification Service (Amazon SNS) topic to generate a notification every time
the role is assumed by a user.
D. Configure a service control policy (SCP) that prevents non-administrative users from creating or
editing security groups. Create a notification in the ticketing system when a user requests a rule
that needs administrator permissions.

Answer 25

B. Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification
Service (Amazon SNS) notification when a noncompliant rule is created.

Question 26

QUESTION 872
An ecommerce company is running a seasonal online sale. The company hosts its website on
Amazon EC2 instances spanning multiple Availability Zones. The company wants its website to
manage sudden traffic increases during the sale.
Which solution will meet these requirements MOST cost-effectively?
A. Create an Auto Scaling group that is large enough to handle peak traffic load. Stop half of the
Amazon EC2 instances. Configure the Auto Scaling group to use the stopped instances to scale out when traffic increases.
B. Create an Auto Scaling group for the website. Set the minimum size of the Auto Scaling group so
that it can handle high traffic volumes without the need to scale out.
C. Use Amazon CloudFront and Amazon ElastiCache to cache dynamic content with an Auto Scaling
group set as the origin. Configure the Auto Scaling group with the instances necessary to populate
CloudFront and ElastiCache. Scale in after the cache is fully populated.
D. Configure an Auto Scaling group to scale out as traffic increases. Create a launch template to start
new instances from a preconfigured Amazon Machine Image (AMI).

Answer 26

D. Configure an Auto Scaling group to scale out as traffic increases. Create a launch template to start
new instances from a preconfigured Amazon Machine Image (AMI).

Question 27

QUESTION 871
A company built an application with Docker containers and needs to run the application in the
AWS Cloud. The company wants to use a managed service to host the application.
The solution must scale in and out appropriately according to demand on the individual container
services. The solution also must not result in additional operational overhead or infrastructure to
manage.
Which solutions will meet these requirements? (Choose two.)
A. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate.
B. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate.
C. Provision an Amazon API Gateway API. Connect the API to AWS Lambda to run the containers.
D. Use Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 worker nodes.
E. Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 worker nodes.

Answer 27

A. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate.
B. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate.

Question 28

QUESTION 870
A company stores data in an on-premises Oracle relational database. The company needs to
make the data available in Amazon Aurora PostgreSQL for analysis. The company uses an AWS
Site-to-Site VPN connection to connect its on-premises network to AWS.
The company must capture the changes that occur to the source database during the migration to
Aurora PostgreSQL.
Which solution will meet these requirements?
A. Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora
PostgreSQL schema. Use the AWS Database Migration Service (AWS DMS) full-load migration
task to migrate the data.
B. Use AWS DataSync to migrate the data to an Amazon S3 bucket. Import the S3 data to Aurora
PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.
C. Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora
PostgreSQL schema. Use AWS Database Migration Service (AWS DMS) to migrate the existing
data and replicate the ongoing changes.
D. Use an AWS Snowball device to migrate the data to an Amazon S3 bucket. Import the S3 data to
Aurora PostgreSQL by using the Aurora PostgreSQL aws_s3 extension.

Answer 28

C. Use the AWS Schema Conversion Tool (AWS SCT) to convert the Oracle schema to Aurora
PostgreSQL schema. Use AWS Database Migration Service (AWS DMS) to migrate the existing
data and replicate the ongoing changes.

Question 29

QUESTION 869
A company’s application is deployed on Amazon EC2 instances and uses AWS Lambda
functions for an event-driven architecture. The company uses nonproduction development
environments in a different AWS account to test new features before the company deploys the
features to production.
The production instances show constant usage because of customers in different time zones.
The company uses nonproduction instances only during business hours on weekdays. The
company does not use the nonproduction instances on the weekends. The company wants to
optimize the costs to run its application on AWS.
Which solution will meet these requirements MOST cost-effectively?
A. Use On-Demand Instances for the production instances. Use Dedicated Hosts for the
nonproduction instances on weekends only.
B. Use Reserved Instances for the production instances and the nonproduction instances. Shut down
the nonproduction instances when not in use.
C. Use Compute Savings Plans for the production instances. Use On-Demand Instances for the
nonproduction instances. Shut down the nonproduction instances when not in use.
D. Use Dedicated Hosts for the production instances. Use EC2 Instance Savings Plans for the
nonproduction instances.

Answer 29

C. Use Compute Savings Plans for the production instances. Use On-Demand Instances for the
nonproduction instances. Shut down the nonproduction instances when not in use.

Question 30

QUESTION 868
A company hosts an application used to upload files to an Amazon S3 bucket. Once uploaded,
the files are processed to extract metadata, which takes less than 5 seconds. The volume and
frequency of the uploads varies from a few files each hour to hundreds of concurrent uploads.
The company has asked a solutions architect to design a cost-effective architecture that will meet
these requirements.
What should the solutions architect recommend?
A. Configure AWS CloudTrail trails to log S3 API calls. Use AWS AppSync to process the files.
B. Configure an object-created event notification within the S3 bucket to invoke an AWS Lambda
function to process the files.
C. Configure Amazon Kinesis Data Streams to process and send data to Amazon S3. Invoke an AWS
Lambda function to process the files.
D. Configure an Amazon Simple Notification Service (Amazon SNS) topic to process the files
uploaded to Amazon S3. Invoke an AWS Lambda function to process the files.

Answer 30

D. Configure an Amazon Simple Notification Service (Amazon SNS) topic to process the files
uploaded to Amazon S3. Invoke an AWS Lambda function to process the files.

Question 31

QUESTION 867
A company has a business-critical application that runs on Amazon EC2 instances. The
application stores data in an Amazon DynamoDB table. The company must be able to revert the
table to any point within the last 24 hours.
Which solution meets these requirements with the LEAST operational overhead?
A. Configure point-in-time recovery for the table.
B. Use AWS Backup for the table.
C. Use an AWS Lambda function to make an on-demand backup of the table every hour.
D. Turn on streams on the table to capture a log of all changes to the table in the last 24 hours. Store
a copy of the stream in an Amazon S3 bucket.

Answer 31

A. Configure point-in-time recovery for the table.

Question 32

QUESTION 866
A pharmaceutical company is developing a new drug. The volume of data that the company
generates has grown exponentially over the past few months. The company’s researchers
regularly require a subset of the entire dataset to be immediately available with minimal lag.
However, the entire dataset does not need to be accessed on a daily basis. All the data currently
resides in on-premises storage arrays, and the company wants to reduce ongoing capital
expenses.
Which storage solution should a solutions architect recommend to meet these requirements?
A. Run AWS DataSync as a scheduled cron job to migrate the data to an Amazon S3 bucket on an
ongoing basis.
B. Deploy an AWS Storage Gateway file gateway with an Amazon S3 bucket as the target storage.
Migrate the data to the Storage Gateway appliance.
C. Deploy an AWS Storage Gateway volume gateway with cached volumes with an Amazon S3
bucket as the target storage. Migrate the data to the Storage Gateway appliance.
D. Configure an AWS Site-to-Site VPN connection from the on-premises environment to AWS.
Migrate data to an Amazon Elastic File System (Amazon EFS) file system.

Answer 32

C. Deploy an AWS Storage Gateway volume gateway with cached volumes with an Amazon S3
bucket as the target storage. Migrate the data to the Storage Gateway appliance.

Question 33

QUESTION 865
A company’s developers want a secure way to gain SSH access on the company’s Amazon EC2
instances that run the latest version of Amazon Linux. The developers work remotely and in the
corporate office.
The company wants to use AWS services as a part of the solution. The EC2 instances are hosted
in a VPC private subnet and access the internet through a NAT gateway that is deployed in a
public subnet.
What should a solutions architect do to meet these requirements MOST cost-effectively?
A. Create a bastion host in the same subnet as the EC2 instances. Grant the
ec2:CreateVpnConnection IAM permission to the developers. Install EC2 Instance Connect so that
the developers can connect to the EC2 instances.
B. Create an AWS Site-to-Site VPN connection between the corporate network and the VPC. Instruct
the developers to use the Site-to-Site VPN connection to access the EC2 instances when the
developers are on the corporate network. Instruct the developers to set up another VPN
connection for access when they work remotely.
C. Create a bastion host in the public subnet of the VPConfigure the security groups and SSH keys of
the bastion host to only allow connections and SSH authentication from the developers’ corporate
and remote networks. Instruct the developers to connect through the bastion host by using SSH to
reach the EC2 instances.
D. Attach the AmazonSSMManagedInstanceCore IAM policy to an IAM role that is associated with
the EC2 instances. Instruct the developers to use AWS Systems Manager Session Manager to
access the EC2 instances.

Answer 33

D. Attach the AmazonSSMManagedInstanceCore IAM policy to an IAM role that is associated with
the EC2 instances. Instruct the developers to use AWS Systems Manager Session Manager to
access the EC2 instances.

Question 34

QUESTION 864
A development team is collaborating with another company to create an integrated product. The
other company needs to access an Amazon Simple Queue Service (Amazon SQS) queue that is
contained in the development team’s account. The other company wants to poll the queue
without giving up its own account permissions to do so.
How should a solutions architect provide access to the SQS queue?
A. Create an instance profile that provides the other company access to the SQS queue.
B. Create an IAM policy that provides the other company access to the SQS queue.
C. Create an SQS access policy that provides the other company access to the SQS queue.
D. Create an Amazon Simple Notification Service (Amazon SNS) access policy that provides the
other company access to the SQS queue.

Answer 34

C. Create an SQS access policy that provides the other company access to the SQS queue.

Question 35

QUESTION 863
A company wants to migrate its three-tier application from on premises to AWS. The web tier and
the application tier are running on third-party virtual machines (VMs). The database tier is running
on MySQL.
The company needs to migrate the application by making the fewest possible changes to the
architecture. The company also needs a database solution that can restore data to a specific
point in time.
Which solution will meet these requirements with the LEAST operational overhead?
A. Migrate the web tier and the application tier to Amazon EC2 instances in private subnets. Migrate
the database tier to Amazon RDS for MySQL in private subnets.
B. Migrate the web tier to Amazon EC2 instances in public subnets. Migrate the application tier to
EC2 instances in private subnets. Migrate the database tier to Amazon Aurora MySQL in private
subnets.
C. Migrate the web tier to Amazon EC2 instances in public subnets. Migrate the application tier to
EC2 instances in private subnets. Migrate the database tier to Amazon RDS for MySQL in private
subnets.
D. Migrate the web tier and the application tier to Amazon EC2 instances in public subnets. Migrate
the database tier to Amazon Aurora MySQL in public subnets.

Answer 35

B. Migrate the web tier to Amazon EC2 instances in public subnets. Migrate the application tier to
EC2 instances in private subnets. Migrate the database tier to Amazon Aurora MySQL in private
subnets.

Question 36

QUESTION 862
A company has 150 TB of archived image data stored on-premises that needs to be moved to the
AWS Cloud within the next month. The company’s current network connection allows up to 100
Mbps uploads for this purpose during the night only.
What is the MOST cost-effective mechanism to move this data and meet the migration deadline?
A. Use AWS Snowmobile to ship the data to AWS.
B. Order multiple AWS Snowball devices to ship the data to AWS.
C. Enable Amazon S3 Transfer Acceleration and securely upload the data.
D. Create an Amazon S3 VPC endpoint and establish a VPN to upload the data.

Answer 36

B. Order multiple AWS Snowball devices to ship the data to AWS.

Question 37

QUESTION 861
A company stores multiple Amazon Machine Images (AMIs) in an AWS account to launch its
Amazon EC2 instances. The AMIs contain critical data and configurations that are necessary for
the company’s operations. The company wants to implement a solution that will recover
accidentally deleted AMIs quickly and efficiently.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create Amazon Elastic Block Store (Amazon EBS) snapshots of the AMIs. Store the snapshots in
a separate AWS account.
B. Copy all AMIs to another AWS account periodically.
C. Create a retention rule in Recycle Bin.
D. Upload the AMIs to an Amazon S3 bucket that has Cross-Region Replication.

Answer 37

C. Create a retention rule in Recycle Bin.

Explanation:
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-ec2-recycle-bin-machine-
images/

Question 38

QUESTION 860
A company needs to use its on-premises LDAP directory service to authenticate its users to the
AWS Management Console. The directory service is not compatible with Security Assertion
Markup Language (SAML).
Which solution meets these requirements?
A. Enable AWS IAM Identity Center (AWS Single Sign-On) between AWS and the on-premises
LDAP.
B. Create an IAM policy that uses AWS credentials, and integrate the policy into LDAP.
C. Set up a process that rotates the IAM credentials whenever LDAP credentials are updated.
D. Develop an on-premises custom identity broker application or process that uses AWS Security
Token Service (AWS STS) to get short-lived credentials.

Answer 38

D. Develop an on-premises custom identity broker application or process that uses AWS Security
Token Service (AWS STS) to get short-lived credentials.

Question 39

QUESTION 859
A solutions architect needs to design the architecture for an application that a vendor provides as
a Docker container image. The container needs 50 GB of storage available for temporary files.
The infrastructure must be serverless.
Which solution meets these requirements with the LEAST operational overhead?
A. Create an AWS Lambda function that uses the Docker container image with an Amazon S3 mounted volume that has more than 50 GB of space.
B. Create an AWS Lambda function that uses the Docker container image with an Amazon Elastic
Block Store (Amazon EBS) volume that has more than 50 GB of space.
C. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the AWS Fargate
launch type. Create a task definition for the container image with an Amazon Elastic File System
(Amazon EFS) volume. Create a service with that task definition.
D. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the Amazon EC2
launch type with an Amazon Elastic Block Store (Amazon EBS) volume that has more than 50 GB
of space. Create a task definition for the container image. Create a service with that task definition.

Answer 39

C. Create an Amazon Elastic Container Service (Amazon ECS) cluster that uses the AWS Fargate
launch type. Create a task definition for the container image with an Amazon Elastic File System
(Amazon EFS) volume. Create a service with that task definition.

Question 40

QUESTION 858
A media company stores movies in Amazon S3. Each movie is stored in a single video file that
ranges from 1 GB to 10 GB in size.
The company must be able to provide the streaming content of a movie within 5 minutes of a user
purchase. There is higher demand for movies that are less than 20 years old than for movies that
are more than 20 years old. The company wants to minimize hosting service costs based on
demand.
Which solution will meet these requirements?
A. Store all media content in Amazon S3. Use S3 Lifecycle policies to move media data into the
Infrequent Access tier when the demand for a movie decreases.
B. Store newer movie video files in S3 Standard. Store older movie video files in S3 Standard-
infrequent Access (S3 Standard-IA). When a user orders an older movie, retrieve the video file by
using standard retrieval.
C. Store newer movie video files in S3 Intelligent-Tiering. Store older movie video files in S3 Glacier
Flexible Retrieval. When a user orders an older movie, retrieve the video file by using expedited
retrieval.
D. Store newer movie video files in S3 Standard. Store older movie video files in S3 Glacier Flexible
Retrieval. When a user orders an older movie, retrieve the video file by using bulk retrieval.

Answer 40

C. Store newer movie video files in S3 Intelligent-Tiering. Store older movie video files in S3 Glacier
Flexible Retrieval. When a user orders an older movie, retrieve the video file by using expedited
retrieval.

Question 41

QUESTION 857
A company wants to deploy its containerized application workloads to a VPC across three
Availability Zones. The company needs a solution that is highly available across Availability
Zones. The solution must require minimal changes to the application.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use Amazon Elastic Container Service (Amazon ECS). Configure Amazon ECS Service Auto
Scaling to use target tracking scaling. Set the minimum capacity to 3. Set the task placement
strategy type to spread with an Availability Zone attribute.
B. Use Amazon Elastic Kubernetes Service (Amazon EKS) self-managed nodes. Configure
Application Auto Scaling to use target tracking scaling. Set the minimum capacity to 3.
C. Use Amazon EC2 Reserved Instances. Launch three EC2 instances in a spread placement group.
Configure an Auto Scaling group to use target tracking scaling. Set the minimum capacity to 3.
D. Use an AWS Lambda function. Configure the Lambda function to connect to a VPC. Configure
Application Auto Scaling to use Lambda as a scalable target. Set the minimum capacity to 3.

Answer 41

A. Use Amazon Elastic Container Service (Amazon ECS). Configure Amazon ECS Service Auto
Scaling to use target tracking scaling. Set the minimum capacity to 3. Set the task placement
strategy type to spread with an Availability Zone attribute.

Question 42

QUESTION 856
A company is running a legacy system on an Amazon EC2 instance. The application code cannot
be modified, and the system cannot run on more than one instance. A solutions architect must
design a resilient solution that can improve the recovery time for the system.
What should the solutions architect recommend to meet these requirements?
A. Enable termination protection for the EC2 instance.
B. Configure the EC2 instance for Multi-AZ deployment.
C. Create an Amazon CloudWatch alarm to recover the EC2 instance in case of failure.
D. Launch the EC2 instance with two Amazon Elastic Block Store (Amazon EBS) volumes that use
RAID configurations for storage redundancy.

Answer 42

C. Create an Amazon CloudWatch alarm to recover the EC2 instance in case of failure.

Question 43

QUESTION 855
A company stores text files in Amazon S3. The text files include customer chat messages, date
and time information, and customer personally identifiable information (PII).
The company needs a solution to provide samples of the conversations to an external service
provider for quality control. The external service provider needs to randomly pick sample
conversations up to the most recent conversation. The company must not share the customer PII
with the external service provider. The solution must scale when the number of customer
conversations increases.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an Object Lambda Access Point. Create an AWS Lambda function that redacts the PII
when the function reads the file. Instruct the external service provider to access the Object
Lambda Access Point.
B. Create a batch process on an Amazon EC2 instance that regularly reads all new files, redacts the
PII from the files, and writes the redacted files to a different S3 bucket. Instruct the external service
provider to access the bucket that does not contain the PII.
C. Create a web application on an Amazon EC2 instance that presents a list of the files, redacts the
PII from the files, and allows the external service provider to download new versions of the files
that have the PII redacted.
D. Create an Amazon DynamoDB table. Create an AWS Lambda function that reads only the data in
the files that does not contain PII. Configure the Lambda function to store the non-PII data in the
DynamoDB table when a new file is written to Amazon S3. Grant the external service provider
access to the DynamoDB table.

Answer 43

A. Create an Object Lambda Access Point. Create an AWS Lambda function that redacts the PII
when the function reads the file. Instruct the external service provider to access the Object
Lambda Access Point.

Question 44

QUESTION 854
A company’s data platform uses an Amazon Aurora MySQL database. The database has multiple
read replicas and multiple DB instances across different Availability Zones. Users have recently
reported errors from the database that indicate that there are too many connections. The
company wants to reduce the failover time by 20% when a read replica is promoted to primary
writer.
Which solution will meet this requirement?
A. Switch from Aurora to Amazon RDS with Multi-AZ cluster deployment.
B. Use Amazon RDS Proxy in front of the Aurora database.
C. Switch to Amazon DynamoDB with DynamoDB Accelerator (DAX) for read connections.
D. Switch to Amazon Redshift with relocation capability.

Answer 44

B. Use Amazon RDS Proxy in front of the Aurora database.

Question 45

QUESTION 853
A company has users all around the world accessing its HTTP-based application deployed on
Amazon EC2 instances in multiple AWS Regions. The company wants to improve the availability
and performance of the application. The company also wants to protect the application against
common web exploits that may affect availability, compromise security, or consume excessive
resources. Static IP addresses are required.
What should a solutions architect recommend to accomplish this?
A. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF
on the NLBs. Create an accelerator using AWS Global Accelerator and register the NLBs as
endpoints.
B. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Deploy AWS
WAF on the ALBs. Create an accelerator using AWS Global Accelerator and register the ALBs as
endpoints.
C. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF
on the NLBs. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53
latency-based routing to route requests to the NLBs.
D. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create an
Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing
to route requests to the ALBs. Deploy AWS WAF on the CloudFront distribution.

Answer 45

B. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Deploy AWS
WAF on the ALBs. Create an accelerator using AWS Global Accelerator and register the ALBs as
endpoints.

Question 46

QUESTION 852
A company has a nightly batch processing routine that analyzes report files that an on-premises
file system receives daily through SFTP. The company wants to move the solution to the AWS
Cloud. The solution must be highly available and resilient. The solution also must minimize
operational effort.
Which solution meets these requirements?
A. Deploy AWS Transfer for SFTP and an Amazon Elastic File System (Amazon EFS) file system for
storage. Use an Amazon EC2 instance in an Auto Scaling group with a scheduled scaling policy to
run the batch operation.
B. Deploy an Amazon EC2 instance that runs Linux and an SFTP service. Use an Amazon Elastic
Block Store (Amazon EBS) volume for storage. Use an Auto Scaling group with the minimum
number of instances and desired number of instances set to 1.
C. Deploy an Amazon EC2 instance that runs Linux and an SFTP service. Use an Amazon Elastic
File System (Amazon EFS) file system for storage. Use an Auto Scaling group with the minimum
number of instances and desired number of instances set to 1.
D. Deploy AWS Transfer for SFTP and an Amazon S3 bucket for storage. Modify the application to
pull the batch files from Amazon S3 to an Amazon EC2 instance for processing. Use an EC2
instance in an Auto Scaling group with a scheduled scaling policy to run the batch operation.

Answer 46

D. Deploy AWS Transfer for SFTP and an Amazon S3 bucket for storage. Modify the application to
pull the batch files from Amazon S3 to an Amazon EC2 instance for processing. Use an EC2
instance in an Auto Scaling group with a scheduled scaling policy to run the batch operation.

Question 47

QUESTION 851
A company has a multi-tier payment processing application that is based on virtual machines
(VMs). The communication between the tiers occurs asynchronously through a third-party
middleware solution that guarantees exactly-once delivery.
The company needs a solution that requires the least amount of infrastructure management. The
solution must guarantee exactly-once delivery for application messaging.
Which combination of actions will meet these requirements? (Choose two.)
A. Use AWS Lambda for the compute layers in the architecture.
B. Use Amazon EC2 instances for the compute layers in the architecture.
C. Use Amazon Simple Notification Service (Amazon SNS) as the messaging component between
the compute layers.
D. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as the messaging component
between the compute layers.
E. Use containers that are based on Amazon Elastic Kubernetes Service (Amazon EKS) for the
compute layers in the architecture.

Answer 47

A. Use AWS Lambda for the compute layers in the architecture.

D. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as the messaging component
between the compute layers.

Question 48

QUESTION 850
A solutions architect is designing an AWS Identity and Access Management (IAM) authorization
model for a company’s AWS account. The company has designated five specific employees to
have full access to AWS services and resources in the AWS account.
The solutions architect has created an IAM user for each of the five designated employees and
has created an IAM user group.
Which solution will meet these requirements?
A. Attach the AdministratorAccess resource-based policy to the IAM user group. Place each of the
five designated employee IAM users in the IAM user group.
B. Attach the SystemAdministrator identity-based policy to the IAM user group. Place each of the five
designated employee IAM users in the IAM user group.
C. Attach the AdministratorAccess identity-based policy to the IAM user group. Place each of the five
designated employee IAM users in the IAM user group.
D. Attach the SystemAdministrator resource-based policy to the IAM user group. Place each of the
five designated employee IAM users in the IAM user group.

Answer 48

C. Attach the AdministratorAccess identity-based policy to the IAM user group. Place each of the five
designated employee IAM users in the IAM user group.

Question 49

QUESTION 849
A company sets up an organization in AWS Organizations that contains 10 AWS accounts. A
solutions architect must design a solution to provide access to the accounts for several thousand
employees. The company has an existing identity provider (IdP). The company wants to use the
existing IdP for authentication to AWS.
Which solution will meet these requirements?
A. Create IAM users for the employees in the required AWS accounts. Connect IAM users to the
existing IdP. Configure federated authentication for the IAM users.
B. Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.
C. Configure AWS IAM Identity Center (AWS Single Sign-On). Connect IAM Identity Center to the
existing IdP. Provision users and groups from the existing IdP.
D. Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the
users in the existing IdP.

Answer 49

C. Configure AWS IAM Identity Center (AWS Single Sign-On). Connect IAM Identity Center to the
existing IdP. Provision users and groups from the existing IdP.

Question 50

QUESTION 848
A company’s website is used to sell products to the public. The site runs on Amazon EC2
instances in an Auto Scaling group behind an Application Load Balancer (ALB). There is also an
Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection
attacks. The ALB is the origin for the CloudFront distribution. A recent review of security logs
revealed an external malicious IP that needs to be blocked from accessing the website.
What should a solutions architect do to protect the application?
A. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP
address.
B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP
address.
C. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the
malicious IP address.
D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the
malicious IP address.

Answer 50

B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP
address.

Question 51

QUESTION 847
A company uses an organization in AWS Organizations to manage AWS accounts that contain
applications. The company sets up a dedicated monitoring member account in the organization.
The company wants to query and visualize observability data across the accounts by using
Amazon CloudWatch.
Which solution will meet these requirements?
A. Enable CloudWatch cross-account observability for the monitoring account. Deploy an AWS
CloudFormation template provided by the monitoring account in each AWS account to share the
data with the monitoring account.
B. Set up service control policies (SCPs) to provide access to CloudWatch in the monitoring account
under the Organizations root organizational unit (OU).
C. Configure a new IAM user in the monitoring account. In each AWS account, configure an IAM
policy to have access to query and visualize the CloudWatch data in the account. Attach the new
IAM policy to the new IAM user.
D. Create a new IAM user in the monitoring account. Create cross-account IAM policies in each AWS
account. Attach the IAM policies to the new IAM user.

Answer 51

A. Enable CloudWatch cross-account observability for the monitoring account. Deploy an AWS
CloudFormation template provided by the monitoring account in each AWS account to share the
data with the monitoring account.

Question 52

QUESTION 846
A financial services company wants to shut down two data centers and migrate more than 100 TB
of data to AWS. The data has an intricate directory structure with millions of small files stored in
deep hierarchies of subfolders. Most of the data is unstructured, and the company’s file storage
consists of SMB-based storage types from multiple vendors. The company does not want to
change its applications to access the data after migration.
What should a solutions architect do to meet these requirements with the LEAST operational
overhead?
A. Use AWS Direct Connect to migrate the data to Amazon S3.
B. Use AWS DataSync to migrate the data to Amazon FSx for Lustre.
C. Use AWS DataSync to migrate the data to Amazon FSx for Windows File Server.
D. Use AWS Direct Connect to migrate the data on-premises file storage to an AWS Storage
Gateway volume gateway.

Answer 52

C. Use AWS DataSync to migrate the data to Amazon FSx for Windows File Server.

Question 53

QUESTION 845
A company is deploying an application that processes streaming data in near-real time. The
company plans to use Amazon EC2 instances for the workload. The network architecture must be
configurable to provide the lowest possible latency between nodes.
Which combination of network solutions will meet these requirements? (Choose two.)
A. Enable and configure enhanced networking on each EC2 instance.
B. Group the EC2 instances in separate accounts.
C. Run the EC2 instances in a cluster placement group.
D. Attach multiple elastic network interfaces to each EC2 instance.
E. Use Amazon Elastic Block Store (Amazon EBS) optimized instance types.

Answer 53

A. Enable and configure enhanced networking on each EC2 instance.

C. Run the EC2 instances in a cluster placement group.

Question 54

QUESTION 844
A company has established a new AWS account. The account is newly provisioned and no
changes have been made to the default settings. The company is concerned about the security of
the AWS account root user.
What should be done to secure the root user?
A. Create IAM users for daily administrative tasks. Disable the root user.
B. Create IAM users for daily administrative tasks. Enable multi-factor authentication on the root user.
C. Generate an access key for the root user. Use the access key for daily administration tasks
instead of the AWS Management Console.
D. Provide the root user credentials to the most senior solutions architect. Have the solutions
architect use the root user for daily administration tasks.

Answer 54

B. Create IAM users for daily administrative tasks. Enable multi-factor authentication on the root user.

Question 55

QUESTION 843
A company is designing a new web service that will run on Amazon EC2 instances behind an
Elastic Load Balancing (ELB) load balancer. However, many of the web service clients can only
reach IP addresses authorized on their firewalls.
What should a solutions architect recommend to meet the clients’ needs?
A. A Network Load Balancer with an associated Elastic IP address.
B. An Application Load Balancer with an associated Elastic IP address.
C. An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address.
D. An EC2 instance with a public IP address running as a proxy in front of the load balancer.

Answer 55

C. An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address.

Question 56

QUESTION 842
To meet security requirements, a company needs to encrypt all of its application data in transit
while communicating with an Amazon RDS MySQL DB instance. A recent security audit revealed
that encryption at rest is enabled using AWS Key Management Service (AWS KMS), but data in
transit is not enabled.
What should a solutions architect do to satisfy the security requirements?
A. Enable IAM database authentication on the database.
B. Provide self-signed certificates. Use the certificates in all connections to the RDS instance.
C. Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption
enabled.
D. Download AWS-provided root certificates. Provide the certificates in all connections to the RDS
instance.

Answer 56

D. Download AWS-provided root certificates. Provide the certificates in all connections to the RDS
instance.

Question 57

QUESTION 841
A company is building an application on AWS that connects to an Amazon RDS database. The
company wants to manage the application configuration and to securely store and retrieve
credentials for the database and other services.
Which solution will meet these requirements with the LEAST administrative overhead?
A. Use AWS AppConfig to store and manage the application configuration. Use AWS Secrets
Manager to store and retrieve the credentials.
B. Use AWS Lambda to store and manage the application configuration. Use AWS Systems Manager
Parameter Store to store and retrieve the credentials.
C. Use an encrypted application configuration file. Store the file in Amazon S3 for the application
configuration. Create another S3 file to store and retrieve the credentials.
D. Use AWS AppConfig to store and manage the application configuration. Use Amazon RDS to
store and retrieve the credentials.

Answer 57

A. Use AWS AppConfig to store and manage the application configuration. Use AWS Secrets
Manager to store and retrieve the credentials.

Question 58

QUESTION 840
The DNS provider that hosts a company’s domain name records is experiencing outages that
cause service disruption for a website running on AWS. The company needs to migrate to a more
resilient managed DNS service and wants the service to run on AWS.
What should a solutions architect do to rapidly migrate the DNS hosting service?
A. Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file
containing the domain records hosted by the previous provider.
B. Create an Amazon Route 53 private hosted zone for the domain name. Import the zone file
containing the domain records hosted by the previous provider.
C. Create a Simple AD directory in AWS. Enable zone transfer between the DNS provider and AWS
Directory Service for Microsoft Active Directory for the domain records.
D. Create an Amazon Route 53 Resolver inbound endpoint in the VPC. Specify the IP addresses that
the provider’s DNS will forward DNS queries to. Configure the provider’s DNS to forward DNS
queries for the domain to the IP addresses that are specified in the inbound endpoint.

Answer 58

A. Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file
containing the domain records hosted by the previous provider.

Question 59

QUESTION 839
A company migrated millions of archival files to Amazon S3. A solutions architect needs to
implement a solution that will encrypt all the archival data by using a customer-provided key. The
solution must encrypt existing unencrypted objects and future objects.
Which solution will meet these requirements?
A. Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3
Batch Operations job to encrypt the objects from the list with a server-side encryption with a
customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side
encryption with a customer-provided key (SSE-C).
B. Use S3 Storage Lens metrics to identify unencrypted S3 buckets. Configure the S3 default
encryption feature to use a server-side encryption with AWS KMS keys (SSE-KMS).
C. Create a list of unencrypted objects by filtering the AWS usage report for Amazon S3. Configure
an AWS Batch job to encrypt the objects from the list with a server-side encryption with AWS KMS
keys (SSE-KMS). Configure the S3 default encryption feature to use a server-side encryption with
AWS KMS keys (SSE-KMS).
D. Create a list of unencrypted objects by filtering the AWS usage report for Amazon S3. Configure
the S3 default encryption feature to use a server-side encryption with a customer-provided key
(SSE-C).

Answer 59

A. Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3
Batch Operations job to encrypt the objects from the list with a server-side encryption with a
customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side
encryption with a customer-provided key (SSE-C).

Explanation:
https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

Question 60

QUESTION 838
A company is building a new application that uses serverless architecture. The architecture will
consist of an Amazon API Gateway REST API and AWS Lambda functions to manage incoming
requests.
The company wants to add a service that can send messages received from the API Gateway
REST API to multiple target Lambda functions for processing. The service must offer message
filtering that gives the target Lambda functions the ability to receive only the messages the
functions need.
Which solution will meet these requirements with the LEAST operational overhead?
A. Send the requests from the API Gateway REST API to an Amazon Simple Notification Service
(Amazon SNS) topic. Subscribe Amazon Simple Queue Service (Amazon SQS) queues to the SNS topic. Configure the target Lambda functions to poll the different SQS queues.
B. Send the requests from the API Gateway REST API to Amazon EventBridge. Configure
EventBridge to invoke the target Lambda functions.
C. Send the requests from the API Gateway REST API to Amazon Managed Streaming for Apache
Kafka (Amazon MSK). Configure Amazon MSK to publish the messages to the target Lambda
functions.
D. Send the requests from the API Gateway REST API to multiple Amazon Simple Queue Service
(Amazon SQS) queues. Configure the target Lambda functions to poll the different SQS queues.

Answer 60

A. Send the requests from the API Gateway REST API to an Amazon Simple Notification Service
(Amazon SNS) topic. Subscribe Amazon Simple Queue Service (Amazon SQS) queues to the SNS topic. Configure the target Lambda functions to poll the different SQS queues.

Question 61

QUESTION 836
A company has an application that delivers on-demand training videos to students around the
world. The application also allows authorized content developers to upload videos. The data is
stored in an Amazon S3 bucket in the us-east-2 Region.
The company has created an S3 bucket in the eu-west-2 Region and an S3 bucket in the ap-
southeast-1 Region. The company wants to replicate the data to the new S3 buckets. The
company needs to minimize latency for developers who upload videos and students who stream videos near eu-west-2 and ap-southeast-1.
Which combination of steps will meet these requirements with the FEWEST changes to the
application? (Choose two.)
A. Configure one-way replication from the us-east-2 S3 bucket to the eu-west-2 S3 bucket. Configure
one-way replication from the us-east-2 S3 bucket to the ap-southeast-1 S3 bucket.
B. Configure one-way replication from the us-east-2 S3 bucket to the eu-west-2 S3 bucket. Configure
one-way replication from the eu-west-2 S3 bucket to the ap-southeast-1 S3 bucket.
C. Configure two-way (bidirectional) replication among the S3 buckets that are in all three Regions.
D. Create an S3 Multi-Region Access Point. Modify the application to use the Amazon Resource
Name (ARN) of the Multi-Region Access Point for video streaming. Do not modify the application
for video uploads.
E. Create an S3 Multi-Region Access Point. Modify the application to use the Amazon Resource
Name (ARN) of the Multi-Region Access Point for video streaming and uploads.

Answer 61

C. Configure two-way (bidirectional) replication among the S3 buckets that are in all three Regions.
E. Create an S3 Multi-Region Access Point. Modify the application to use the Amazon Resource
Name (ARN) of the Multi-Region Access Point for video streaming and uploads.

Question 62

QUESTION 835
A company has multiple AWS accounts with applications deployed in the us-west-2 Region.
Application logs are stored within Amazon S3 buckets in each account. The company wants to
build a centralized log analysis solution that uses a single S3 bucket. Logs must not leave us-
west-2, and the company wants to incur minimal operational overhead.
Which solution meets these requirements and is MOST cost-effective?
A. Create an S3 Lifecycle policy that copies the objects from one of the application S3 buckets to the
centralized S3 bucket.
B. Use S3 Same-Region Replication to replicate logs from the S3 buckets to another S3 bucket in us-
west-2. Use this S3 bucket for log analysis.
C. Write a script that uses the PutObject API operation every day to copy the entire contents of the
buckets to another S3 bucket in us-west-2. Use this S3 bucket for log analysis.
D. Write AWS Lambda functions in these accounts that are triggered every time logs are delivered to
the S3 buckets (s3:ObjectCreated:* event). Copy the logs to another S3 bucket in us-west-2. Use
this S3 bucket for log analysis.

Answer 62

B. Use S3 Same-Region Replication to replicate logs from the S3 buckets to another S3 bucket in us-
west-2. Use this S3 bucket for log analysis.

Question 63

QUESTION 834
A company is developing a mobile game that streams score updates to a backend processor and
then posts results on a leaderboard. A solutions architect needs to design a solution that can
handle large traffic spikes, process the mobile game updates in order of receipt, and store the
processed updates in a highly available database. The company also wants to minimize the
management overhead required to maintain the solution.
What should the solutions architect do to meet these requirements?
A. Push score updates to Amazon Kinesis Data Streams. Process the updates in Kinesis Data
Streams with AWS Lambda. Store the processed updates in Amazon DynamoDB.
B. Push score updates to Amazon Kinesis Data Streams. Process the updates with a fleet of Amazon
EC2 instances set up for Auto Scaling. Store the processed updates in Amazon Redshift.
C. Push score updates to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe an
AWS Lambda function to the SNS topic to process the updates. Store the processed updates in a
SQL database running on Amazon EC2.
D. Push score updates to an Amazon Simple Queue Service (Amazon SQS) queue. Use a fleet of
Amazon EC2 instances with Auto Scaling to process the updates in the SQS queue. Store the
processed updates in an Amazon RDS Multi-AZ DB instance.

Answer 63

A. Push score updates to Amazon Kinesis Data Streams. Process the updates in Kinesis Data
Streams with AWS Lambda. Store the processed updates in Amazon DynamoDB.

Question 64

QUESTION 833
A company has an AWS Direct Connect connection from its corporate data center to its VPC in
the us-east-1 Region. The company recently acquired a corporation that has several VPCs and a
Direct Connect connection between its on-premises data center and the eu-west-2 Region. The
CIDR blocks for the VPCs of the company and the corporation do not overlap. The company
requires connectivity between two Regions and the data centers. The company needs a solution
that is scalable while reducing operational overhead.
What should a solutions architect do to meet these requirements?
A. Set up inter-Region VPC peering between the VPC in us-east-1 and the VPCs in eu-west-2.
B. Create private virtual interfaces from the Direct Connect connection in us-east-1 to the VPCs in eu-
west-2.
C. Establish VPN appliances in a fully meshed VPN network hosted by Amazon EC2. Use AWS VPN
CloudHub to send and receive data between the data centers and each VPC.
D. Connect the existing Direct Connect connection to a Direct Connect gateway. Route traffic from
the virtual private gateways of the VPCs in each Region to the Direct Connect gateway.

Answer 64

D. Connect the existing Direct Connect connection to a Direct Connect gateway. Route traffic from
the virtual private gateways of the VPCs in each Region to the Direct Connect gateway.

Question 65

QUESTION 832
An ecommerce company runs applications in AWS accounts that are part of an organization in
AWS Organizations. The applications run on Amazon Aurora PostgreSQL databases across all
the accounts. The company needs to prevent malicious activity and must identify abnormal failed
and incomplete login attempts to the databases.
Which solution will meet these requirements in the MOST operationally efficient way?
A. Attach service control policies (SCPs) to the root of the organization to identity the failed login
attempts.
B. Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the
organization.
C. Publish the Aurora general logs to a log group in Amazon CloudWatch Logs. Export the log data to
a central Amazon S3 bucket.
D. Publish all the Aurora PostgreSQL database events in AWS CloudTrail to a central Amazon S3
bucket.

Answer 65

B. Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the
organization.

Question 66

QUESTION 831
A company has deployed its application on Amazon EC2 instances with an Amazon RDS database. The company used the principle of least privilege to configure the database access
credentials. The company’s security team wants to protect the application and the database from
SQL injection and other web-based attacks.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use security groups and network ACLs to secure the database and application servers.
B. Use AWS WAF to protect the application. Use RDS parameter groups to configure the security
settings.
C. Use AWS Network Firewall to protect the application and the database.
D. Use different database accounts in the application code for different functions. Avoid granting
excessive privileges to the database users.

Answer 66

B. Use AWS WAF to protect the application. Use RDS parameter groups to configure the security
settings.

Question 67

QUESTION 830
A company has an application that uses an Amazon DynamoDB table for storage. A solutions
architect discovers that many requests to the table are not returning the latest data. The
company’s users have not reported any other issues with database performance. Latency is in an
acceptable range.
Which design change should the solutions architect recommend?
A. Add read replicas to the table.
B. Use a global secondary index (GSI).
C. Request strongly consistent reads for the table.
D. Request eventually consistent reads for the table.

Answer 67

C. Request strongly consistent reads for the table.

Question 68

QUESTION 829
A package delivery company has an application that uses Amazon EC2 instances and an
Amazon Aurora MySQL DB cluster. As the application becomes more popular, EC2 instance
usage increases only slightly. DB cluster usage increases at a much faster rate.
The company adds a read replica, which reduces the DB cluster usage for a short period of time.
However, the load continues to increase. The operations that cause the increase in DB cluster
usage are all repeated read statements that are related to delivery details. The company needs to
alleviate the effect of repeated reads on the DB cluster.
Which solution will meet these requirements MOST cost-effectively?
A. Implement an Amazon ElastiCache for Redis cluster between the application and the DB cluster.
B. Add an additional read replica to the DB cluster.
C. Configure Aurora Auto Scaling for the Aurora read replicas.
D. Modify the DB cluster to have multiple writer instances.

Answer 68

A. Implement an Amazon ElastiCache for Redis cluster between the application and the DB cluster.

Question 69

QUESTION 828
A company runs a three-tier web application in a VPC across multiple Availability Zones. Amazon
EC2 instances run in an Auto Scaling group for the application tier.
The company needs to make an automated scaling plan that will analyze each resource’s daily
and weekly historical workload trends. The configuration must scale resources appropriately
according to both the forecast and live changes in utilization.
Which scaling strategy should a solutions architect recommend to meet these requirements?
A. Implement dynamic scaling with step scaling based on average CPU utilization from the EC2
instances.
B. Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking
C. Create an automated scheduled scaling action based on the traffic patterns of the web application.
D. Set up a simple scaling policy. Increase the cooldown period based on the EC2 instance startup
time.

Answer 69

B. Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking

Question 70

QUESTION 827
A company has an on-premises data center that is running out of storage capacity. The company
wants to migrate its storage infrastructure to AWS while minimizing bandwidth costs. The solution
must allow for immediate retrieval of data at no additional cost.
How can these requirements be met?
A. Deploy Amazon S3 Glacier Vault and enable expedited retrieval. Enable provisioned retrieval
capacity for the workload.
B. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in
Amazon S3 while retaining copies of frequently accessed data subsets locally.
C. Deploy AWS Storage Gateway using stored volumes to store data locally. Use Storage Gateway
to asynchronously back up point-in-time snapshots of the data to Amazon S3.
D. Deploy AWS Direct Connect to connect with the on-premises data center. Configure AWS Storage
Gateway to store data locally. Use Storage Gateway to asynchronously back up point-in-time
snapshots of the data to Amazon S3.

Answer 70

C. Deploy AWS Storage Gateway using stored volumes to store data locally. Use Storage Gateway
to asynchronously back up point-in-time snapshots of the data to Amazon S3.

Question 71

QUESTION 826
A company stores critical data in Amazon DynamoDB tables in the company’s AWS account. An
IT administrator accidentally deleted a DynamoDB table. The deletion caused a significant loss of
data and disrupted the company’s operations. The company wants to prevent this type of
disruption in the future.
Which solution will meet this requirement with the LEAST operational overhead?
A. Configure a trail in AWS CloudTrail. Create an Amazon EventBridge rule for delete actions. Create
an AWS Lambda function to automatically restore deleted DynamoDB tables.
B. Create a backup and restore plan for the DynamoDB tables. Recover the DynamoDB tables
manually.
C. Configure deletion protection on the DynamoDB tables.
D. Enable point-in-time recovery on the DynamoDB tables.

Answer 71

C. Configure deletion protection on the DynamoDB tables.

Question 72

QUESTION 825
A company has deployed a multiplayer game for mobile devices. The game requires live location
tracking of players based on latitude and longitude. The data store for the game must support
rapid updates and retrieval of locations.
The game uses an Amazon RDS for PostgreSQL DB instance with read replicas to store the
location data. During peak usage periods, the database is unable to maintain the performance
that is needed for reading and writing updates. The game’s user base is increasing rapidly.
What should a solutions architect do to improve the performance of the data tier?
A. Take a snapshot of the existing DB instance. Restore the snapshot with Multi-AZ enabled.
B. Migrate from Amazon RDS to Amazon OpenSearch Service with OpenSearch Dashboards.
C. Deploy Amazon DynamoDB Accelerator (DAX) in front of the existing DB instance. Modify the
game to use DAX.
D. Deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance. Modify the
game to use Redis.

Answer 72

D. Deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance. Modify the
game to use Redis.

Question 73

QUESTION 824
A company maintains about 300 TB in Amazon S3 Standard storage month after month. The S3
objects are each typically around 50 GB in size and are frequently replaced with multipart uploads
by their global application. The number and size of S3 objects remain constant, but the
company’s S3 storage costs are increasing each month.
How should a solutions architect reduce costs in this situation?
A. Switch from multipart uploads to Amazon S3 Transfer Acceleration.
B. Enable an S3 Lifecycle policy that deletes incomplete multipart uploads.
C. Configure S3 inventory to prevent objects from being archived too quickly.
D. Configure Amazon CloudFront to reduce the number of objects stored in Amazon S3.

Answer 73

B. Enable an S3 Lifecycle policy that deletes incomplete multipart uploads.

Question 74

QUESTION 823
A company runs container applications by using Amazon Elastic Kubernetes Service (Amazon
EKS) and the Kubernetes Horizontal Pod Autoscaler. The workload is not consistent throughout
the day. A solutions architect notices that the number of nodes does not automatically scale out
when the existing nodes have reached maximum capacity in the cluster, which causes
performance issues.
Which solution will resolve this issue with the LEAST administrative overhead?
A. Scale out the nodes by tracking the memory usage.
B. Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster.
C. Use an AWS Lambda function to resize the EKS cluster automatically.
D. Use an Amazon EC2 Auto Scaling group to distribute the workload.

Answer 74

B. Use the Kubernetes Cluster Autoscaler to manage the number of nodes in the cluster.

Question 75

QUESTION 822
A company has applications that run on Amazon EC2 instances. The EC2 instances connect to
Amazon RDS databases by using an IAM role that has associated policies. The company wants
to use AWS Systems Manager to patch the EC2 instances without disrupting the running
applications.
Which solution will meet these requirements?
A. Create a new IAM role. Attach the AmazonSSMManagedInstanceCore policy to the new IAM role.
Attach the new IAM role to the EC2 instances and the existing IAM role.
B. Create an IAM user. Attach the AmazonSSMManagedInstanceCore policy to the IAM user.
Configure Systems Manager to use the IAM user to manage the EC2 instances.
C. Enable Default Host Configuration Management in Systems Manager to manage the EC2
instances.
D. Remove the existing policies from the existing IAM role. Add the
AmazonSSMManagedInstanceCore policy to the existing IAM role.

Answer 75

C. Enable Default Host Configuration Management in Systems Manager to manage the EC2
instances.

Question 76

QUESTION 821
A company has an AWS Direct Connect connection from its on-premises location to an AWS
account. The AWS account has 30 different VPCs in the same AWS Region. The VPCs use
private virtual interfaces (VIFs). Each VPC has a CIDR block that does not overlap with other
networks under the company’s control.
The company wants to centrally manage the networking architecture while still allowing each VPC
to communicate with all other VPCs and on-premises networks.
Which solution will meet these requirements with the LEAST amount of operational overhead?
A. Create a transit gateway, and associate the Direct Connect connection with a new transit VIF. Turn
on the transit gateway’s route propagation feature.
B. Create a Direct Connect gateway. Recreate the private VIFs to use the new gateway. Associate
each VPC by creating new virtual private gateways.
C. Create a transit VPConnect the Direct Connect connection to the transit VPCreate a peering
connection between all other VPCs in the Region. Update the route tables.
D. Create AWS Site-to-Site VPN connections from on premises to each VPC. Ensure that both VPN
tunnels are UP for each connection. Turn on the route propagation feature.

Answer 76

A. Create a transit gateway, and associate the Direct Connect connection with a new transit VIF. Turn
on the transit gateway’s route propagation feature.

Question 77

QUESTION 820
A company wants to rearchitect a large-scale web application to a serverless microservices
architecture. The application uses Amazon EC2 instances and is written in Python.
The company selected one component of the web application to test as a microservice. The
component supports hundreds of requests each second. The company wants to create and test
the microservice on an AWS solution that supports Python. The solution must also scale
automatically and require minimal infrastructure and minimal operational support.
Which solution will meet these requirements?
A. Use a Spot Fleet with auto scaling of EC2 instances that run the most recent Amazon Linux
operating system.
B. Use an AWS Elastic Beanstalk web server environment that has high availability configured.
C. Use Amazon Elastic Kubernetes Service (Amazon EKS). Launch Auto Scaling groups of self-
managed EC2 instances.
D. Use an AWS Lambda function that runs custom developed code.

Answer 77

C. Use Amazon Elastic Kubernetes Service (Amazon EKS). Launch Auto Scaling groups of self-
managed EC2 instances.

Question 78

QUESTION 819
A manufacturing company runs its report generation application on AWS. The application
generates each report in about 20 minutes. The application is built as a monolith that runs on a
single Amazon EC2 instance. The application requires frequent updates to its tightly coupled
modules. The application becomes complex to maintain as the company adds new features.
Each time the company patches a software module, the application experiences downtime.
Report generation must restart from the beginning after any interruptions. The company wants to
redesign the application so that the application can be flexible, scalable, and gradually improved.
The company wants to minimize application downtime.
Which solution will meet these requirements?
A. Run the application on AWS Lambda as a single function with maximum provisioned concurrency.
B. Run the application on Amazon EC2 Spot Instances as microservices with a Spot Fleet default
allocation strategy.
C. Run the application on Amazon Elastic Container Service (Amazon ECS) as microservices with
service auto scaling.
D. Run the application on AWS Elastic Beanstalk as a single application environment with an all-at-
once deployment strategy.

Answer 78

B. Run the application on Amazon EC2 Spot Instances as microservices with a Spot Fleet default
allocation strategy.

Question 79

QUESTION 818
A company is migrating a large amount of data from on-premises storage to AWS. Windows,
Mac, and Linux based Amazon EC2 instances in the same AWS Region will access the data by
using SMB and NFS storage protocols. The company will access a portion of the data routinely.
The company will access the remaining data infrequently.
The company needs to design a solution to host the data.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an Amazon Elastic File System (Amazon EFS) volume that uses EFS Intelligent-Tiering.
Use AWS DataSync to migrate the data to the EFS volume.
B. Create an Amazon FSx for ONTAP instance. Create an FSx for ONTAP file system with a root
volume that uses the auto tiering policy. Migrate the data to the FSx for ONTAP volume.
C. Create an Amazon S3 bucket that uses S3 Intelligent-Tiering. Migrate the data to the S3 bucket by
using an AWS Storage Gateway Amazon S3 File Gateway.
D. Create an Amazon FSx for OpenZFS file system. Migrate the data to the new volume.

Answer 79

C. Create an Amazon S3 bucket that uses S3 Intelligent-Tiering. Migrate the data to the S3 bucket by
using an AWS Storage Gateway Amazon S3 File Gateway.

Question 80

QUESTION 817
A company’s applications use Apache Hadoop and Apache Spark to process data on premises.
The existing infrastructure is not scalable and is complex to manage.
A solutions architect must design a scalable solution that reduces operational complexity. The
solution must keep the data processing on premises.
Which solution will meet these requirements?
A. Use AWS Site-to-Site VPN to access the on-premises Hadoop Distributed File System (HDFS)
data and application. Use an Amazon EMR cluster to process the data.
B. Use AWS DataSync to connect to the on-premises Hadoop Distributed File System (HDFS)
cluster. Create an Amazon EMR cluster to process the data.
C. Migrate the Apache Hadoop application and the Apache Spark application to Amazon EMR
clusters on AWS Outposts. Use the EMR clusters to process the data.
D. Use an AWS Snowball device to migrate the data to an Amazon S3 bucket. Create an Amazon
EMR cluster to process the data.

Answer 80

C. Migrate the Apache Hadoop application and the Apache Spark application to Amazon EMR
clusters on AWS Outposts. Use the EMR clusters to process the data.

Question 81

QUESTION 816
A company wants to migrate an on-premises legacy application to AWS. The application ingests
customer order files from an on-premises enterprise resource planning (ERP) system. The
application then uploads the files to an SFTP server. The application uses a scheduled job that
checks for order files every hour.
The company already has an AWS account that has connectivity to the on-premises network. The
new application on AWS must support integration with the existing ERP system. The new
application must be secure and resilient and must use the SFTP protocol to process orders from
the ERP system immediately.
Which solution will meet these requirements?
A. Create an AWS Transfer Family SFTP internet-facing server in two Availability Zones. Use
Amazon S3 storage. Create an AWS Lambda function to process order files. Use S3 Event
Notifications to send s3:ObjectCreated:* events to the Lambda function.
B. Create an AWS Transfer Family SFTP internet-facing server in one Availability Zone. Use Amazon
Elastic File System (Amazon EFS) storage. Create an AWS Lambda function to process order
files. Use a Transfer Family managed workflow to invoke the Lambda function.
C. Create an AWS Transfer Family SFTP internal server in two Availability Zones. Use Amazon
Elastic File System (Amazon EFS) storage. Create an AWS Step Functions state machine to
process order files. Use Amazon EventBridge Scheduler to invoke the state machine to
periodically check Amazon EFS for order files.
D. Create an AWS Transfer Family SFTP internal server in two Availability Zones. Use Amazon S3
storage. Create an AWS Lambda function to process order files. Use a Transfer Family managed
workflow to invoke the Lambda function.

Answer 81

D. Create an AWS Transfer Family SFTP internal server in two Availability Zones. Use Amazon S3
storage. Create an AWS Lambda function to process order files. Use a Transfer Family managed
workflow to invoke the Lambda function.

Question 82

QUESTION 815
A company runs a real-time data ingestion solution on AWS. The solution consists of the most
recent version of Amazon Managed Streaming for Apache Kafka (Amazon MSK). The solution is
deployed in a VPC in private subnets across three Availability Zones.
A solutions architect needs to redesign the data ingestion solution to be publicly available over the internet. The data in transit must also be encrypted.
Which solution will meet these requirements with the MOST operational efficiency?
A. Configure public subnets in the existing VPC. Deploy an MSK cluster in the public subnets. Update
the MSK cluster security settings to enable mutual TLS authentication.
B. Create a new VPC that has public subnets. Deploy an MSK cluster in the public subnets. Update
the MSK cluster security settings to enable mutual TLS authentication.
C. Deploy an Application Load Balancer (ALB) that uses private subnets. Configure an ALB security
group inbound rule to allow inbound traffic from the VPC CIDR block for HTTPS protocol.
D. Deploy a Network Load Balancer (NLB) that uses private subnets. Configure an NLB listener for
HTTPS communication over the internet.

Answer 82

A. Configure public subnets in the existing VPC. Deploy an MSK cluster in the public subnets. Update
the MSK cluster security settings to enable mutual TLS authentication.

Question 83

QUESTION 814
A company uses Amazon EC2, AWS Fargate, and AWS Lambda to run multiple workloads in the
company’s AWS account. The company wants to fully make use of its Compute Savings Plans.
The company wants to receive notification when coverage of the Compute Savings Plans drops.
Which solution will meet these requirements with the MOST operational efficiency?
A. Create a daily budget for the Savings Plans by using AWS Budgets. Configure the budget with a
coverage threshold to send notifications to the appropriate email message recipients.
B. Create a Lambda function that runs a coverage report against the Savings Plans. Use Amazon
Simple Email Service (Amazon SES) to email the report to the appropriate email message
recipients.
C. Create an AWS Budgets report for the Savings Plans budget. Set the frequency to daily.
D. Create a Savings Plans alert subscription. Enable all notification options. Enter an email address
to receive notifications.

Answer 83

A. Create a daily budget for the Savings Plans by using AWS Budgets. Configure the budget with a
coverage threshold to send notifications to the appropriate email message recipients.

Explanation:
https://docs.aws.amazon.com/savingsplans/latest/userguide/sp-usingBudgets.html

Question 84

QUESTION 813
A company runs a highly available web application on Amazon EC2 instances behind an
Application Load Balancer. The company uses Amazon CloudWatch metrics.
As the traffic to the web application increases, some EC2 instances become overloaded with
many outstanding requests. The CloudWatch metrics show that the number of requests
processed and the time to receive the responses from some EC2 instances are both higher
compared to other EC2 instances. The company does not want new requests to be forwarded to
the EC2 instances that are already overloaded.
Which solution will meet these requirements?
A. Use the round robin routing algorithm based on the RequestCountPerTarget and
ActiveConnectionCount CloudWatch metrics.
B. Use the least outstanding requests algorithm based on the RequestCountPerTarget and
ActiveConnectionCount CloudWatch metrics.
C. Use the round robin routing algorithm based on the RequestCount and TargetResponseTime
CloudWatch metrics.
D. Use the least outstanding requests algorithm based on the RequestCount and
TargetResponseTime CloudWatch metrics.

Answer 84

B. Use the least outstanding requests algorithm based on the RequestCountPerTarget and
ActiveConnectionCount CloudWatch metrics.

Question 85

QUESTION 812
A company is running a photo hosting service in the us-east-1 Region. The service enables users
across multiple countries to upload and view photos. Some photos are heavily viewed for months,
and others are viewed for less than a week. The application allows uploads of up to 20 MB for
each photo. The service uses the photo metadata to determine which photos to display to each
user.
Which solution provides the appropriate user access MOST cost-effectively?
A. Store the photos in Amazon DynamoDB. Turn on DynamoDB Accelerator (DAX) to cache
frequently viewed items.
B. Store the photos in the Amazon S3 Intelligent-Tiering storage class. Store the photo metadata and
its S3 location in DynamoDB.
C. Store the photos in the Amazon S3 Standard storage class. Set up an S3 Lifecycle policy to move
photos older than 30 days to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class.
Use the object tags to keep track of metadata.
D. Store the photos in the Amazon S3 Glacier storage class. Set up an S3 Lifecycle policy to move
photos older than 30 days to the S3 Glacier Deep Archive storage class. Store the photo metadata
and its S3 location in Amazon OpenSearch Service.

Answer 85

D. Store the photos in the Amazon S3 Glacier storage class. Set up an S3 Lifecycle policy to move
photos older than 30 days to the S3 Glacier Deep Archive storage class. Store the photo metadata
and its S3 location in Amazon OpenSearch Service.

Question 86

QUESTION 811
A company is designing a web application on AWS. The application will use a VPN connection
between the company’s existing data centers and the company’s VPCs.
The company uses Amazon Route 53 as its DNS service. The application must use private DNS
records to communicate with the on-premises services from a VPC.
Which solution will meet these requirements in the MOST secure manner?
A. Create a Route 53 Resolver outbound endpoint. Create a resolver rule. Associate the resolver rule
with the VPC.
B. Create a Route 53 Resolver inbound endpoint. Create a resolver rule. Associate the resolver rule
with the VPC.
C. Create a Route 53 private hosted zone. Associate the private hosted zone with the VPC.
D. Create a Route 53 public hosted zone. Create a record for each service to allow service
communication

Answer 86

A. Create a Route 53 Resolver outbound endpoint. Create a resolver rule. Associate the resolver rule
with the VPC.

Question 87

QUESTION 810
An ecommerce company runs its application on AWS. The application uses an Amazon Aurora
PostgreSQL cluster in Multi-AZ mode for the underlying database. During a recent promotional
campaign, the application experienced heavy read load and write load. Users experienced
timeout issues when they attempted to access the application.
A solutions architect needs to make the application architecture more scalable and highly
available.
Which solution will meet these requirements with the LEAST downtime?
A. Create an Amazon EventBridge rule that has the Aurora cluster as a source. Create an AWS
Lambda function to log the state change events of the Aurora cluster. Add the Lambda function as
a target for the EventBridge rule. Add additional reader nodes to fail over to.
B. Modify the Aurora cluster and activate the zero-downtime restart (ZDR) feature. Use Database
Activity Streams on the cluster to track the cluster status.
C. Add additional reader instances to the Aurora cluster. Create an Amazon RDS Proxy target group
for the Aurora cluster.
D. Create an Amazon ElastiCache for Redis cache. Replicate data from the Aurora cluster to Redis
by using AWS Database Migration Service (AWS DMS) with a write-around approach.

Answer 87

C. Add additional reader instances to the Aurora cluster. Create an Amazon RDS Proxy target group
for the Aurora cluster.

Question 88

QUESTION 809
A company’s website hosted on Amazon EC2 instances processes classified data stored in
Amazon S3. Due to security concerns, the company requires a private and secure connection
between its EC2 resources and Amazon S3.
Which solution meets these requirements?
A. Set up S3 bucket policies to allow access from a VPC endpoint.
B. Set up an IAM policy to grant read-write access to the S3 bucket.
C. Set up a NAT gateway to access resources outside the private subnet.
D. Set up an access key ID and a secret access key to access the S3 bucket.

Answer 88

A. Set up S3 bucket policies to allow access from a VPC endpoint.

Explanation:
A VPC endpoint enables customers to privately connect to supported AWS services.

Question 89

QUESTION 808
A company has an organization in AWS Organizations. The company runs Amazon EC2
instances across four AWS accounts in the root organizational unit (OU). There are three
nonproduction accounts and one production account. The company wants to prohibit users from
launching EC2 instances of a certain size in the nonproduction accounts. The company has
created a service control policy (SCP) to deny access to launch instances that use the prohibited
types.
Which solutions to deploy the SCP will meet these requirements? (Choose two.)
A. Attach the SCP to the root OU for the organization.
B. Attach the SCP to the three nonproduction Organizations member accounts.
C. Attach the SCP to the Organizations management account.
D. Create an OU for the production account. Attach the SCP to the OU. Move the production member
account into the new OU.
E. Create an OU for the required accounts. Attach the SCP to the OU. Move the nonproduction
member accounts into the new OU.

Answer 89

B. Attach the SCP to the three nonproduction Organizations member accounts.

E. Create an OU for the required accounts. Attach the SCP to the OU. Move the nonproduction
member accounts into the new OU.

Question 90

QUESTION 807
A company wants to use NAT gateways in its AWS environment. The company’s Amazon EC2
instances in private subnets must be able to connect to the public internet through the NAT
gateways.
Which solution will meet these requirements?
A. Create public NAT gateways in the same private subnets as the EC2 instances.
B. Create private NAT gateways in the same private subnets as the EC2 instances.
C. Create public NAT gateways in public subnets in the same VPCs as the EC2 instances.
D. Create private NAT gateways in public subnets in the same VPCs as the EC2 instances.

Answer 90

C. Create public NAT gateways in public subnets in the same VPCs as the EC2 instances.

Explanation:
Public NAT GW in Public Subnet to have access to internet. Private NAT GW is used for VPC or
on-prem.

Question 91

QUESTION 806
A company is using an Application Load Balancer (ALB) to present its application to the internet.
The company finds abnormal traffic access patterns across the application. A solutions architect
needs to improve visibility into the infrastructure to help the company understand these
abnormalities better.
What is the MOST operationally efficient solution that meets these requirements?
A. Create a table in Amazon Athena for AWS CloudTrail logs. Create a query for the relevant
information.
B. Enable ALB access logging to Amazon S3. Create a table in Amazon Athena, and query the logs.
C. Enable ALB access logging to Amazon S3. Open each file in a text editor, and search each line for
the relevant information.
D. Use Amazon EMR on a dedicated Amazon EC2 instance to directly query the ALB to acquire
traffic access log information.

Answer 91

B. Enable ALB access logging to Amazon S3. Create a table in Amazon Athena, and query the logs.

Question 92

QUESTION 805
A company hosts a database that runs on an Amazon RDS instance that is deployed to multiple
Availability Zones. The company periodically runs a script against the database to report new
entries that are added to the database. The script that runs against the database negatively
affects the performance of a critical application. The company needs to improve application
performance with minimal costs.
Which solution will meet these requirements with the LEAST operational overhead?
A. Add functionality to the script to identify the instance that has the fewest active connections.
Configure the script to read from that instance to report the total new entries.
B. Create a read replica of the database. Configure the script to query only the read replica to report
the total new entries.
C. Instruct the development team to manually export the new entries for the day in the database at
the end of each day.
D. Use Amazon ElastiCache to cache the common queries that the script runs against the database.

Answer 92

C. Instruct the development team to manually export the new entries for the day in the database at
the end of each day.

Question 93

QUESTION 804
A company runs a three-tier application in a VPC. The database tier uses an Amazon RDS for
MySQL DB instance.
The company plans to migrate the RDS for MySQL DB instance to an Amazon Aurora
PostgreSQL DB cluster. The company needs a solution that replicates the data changes that
happen during the migration to the new database.
Which combination of steps will meet these requirements? (Choose two.)
A. Use AWS Database Migration Service (AWS DMS) Schema Conversion to transform the database
objects.
B. Use AWS Database Migration Service (AWS DMS) Schema Conversion to create an Aurora
PostgreSQL read replica on the RDS for MySQL DB instance.
C. Configure an Aurora MySQL read replica for the RDS for MySQL DB instance.
D. Define an AWS Database Migration Service (AWS DMS) task with change data capture (CDC) to
migrate the data.
E. Promote the Aurora PostgreSQL read replica to a standalone Aurora PostgreSQL DB cluster when
the replica lag is zero.

Answer 93

A. Use AWS Database Migration Service (AWS DMS) Schema Conversion to transform the database
objects.
D. Define an AWS Database Migration Service (AWS DMS) task with change data capture (CDC) to
migrate the data.

Question 94

QUESTION 803
An online video game company must maintain ultra-low latency for its game servers. The game
servers run on Amazon EC2 instances. The company needs a solution that can handle millions of
UDP internet traffic requests each second.
Which solution will meet these requirements MOST cost-effectively?
A. Configure an Application Load Balancer with the required protocol and ports for the internet traffic.
Specify the EC2 instances as the targets.
B. Configure a Gateway Load Balancer for the internet traffic. Specify the EC2 instances as the
targets.
C. Configure a Network Load Balancer with the required protocol and ports for the internet traffic.
Specify the EC2 instances as the targets.
D. Launch an identical set of game servers on EC2 instances in separate AWS Regions. Route
internet traffic to both sets of EC2 instances.

Answer 94

C. Configure a Network Load Balancer with the required protocol and ports for the internet traffic.
Specify the EC2 instances as the targets.

Explanation:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

Question 95

QUESTION 802
A company has NFS servers in an on-premises data center that need to periodically back up
small amounts of data to Amazon S3.
Which solution meets these requirements and is MOST cost-effective?
A. Set up AWS Glue to copy the data from the on-premises servers to Amazon S3.
B. Set up an AWS DataSync agent on the on-premises servers, and sync the data to Amazon S3.
C. Set up an SFTP sync using AWS Transfer for SFTP to sync data from on premises to Amazon S3.
D. Set up an AWS Direct Connect connection between the on-premises data center and a VPC, and
copy the data to Amazon S3.

Answer 95

B. Set up an AWS DataSync agent on the on-premises servers, and sync the data to Amazon S3.

Question 96

QUESTION 801
A company copies 200 TB of data from a recent ocean survey onto AWS Snowball Edge Storage
Optimized devices. The company has a high performance computing (HPC) cluster that is hosted
on AWS to look for oil and gas deposits. A solutions architect must provide the cluster with
consistent sub-millisecond latency and high-throughput access to the data on the Snowball Edge
Storage Optimized devices. The company is sending the devices back to AWS.
Which solution will meet these requirements?
A. Create an Amazon S3 bucket. Import the data into the S3 bucket. Configure an AWS Storage
Gateway file gateway to use the S3 bucket. Access the file gateway from the HPC cluster
instances.
B. Create an Amazon S3 bucket. Import the data into the S3 bucket. Configure an Amazon FSx for
Lustre file system, and integrate it with the S3 bucket. Access the FSx for Lustre file system from
the HPC cluster instances.
C. Create an Amazon S3 bucket and an Amazon Elastic File System (Amazon EFS) file system.
Import the data into the S3 bucket. Copy the data from the S3 bucket to the EFS file system.
Access the EFS file system from the HPC cluster instances.
D. Create an Amazon FSx for Lustre file system. Import the data directly into the FSx for Lustre file
system. Access the FSx for Lustre file system from the HPC cluster instances.

Answer 96

D. Create an Amazon FSx for Lustre file system. Import the data directly into the FSx for Lustre file
system. Access the FSx for Lustre file system from the HPC cluster instances.