[ { "question": "A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.co m for the resources stored within VPCs. The company has the following DNS resolution requir ements: On-premises systems should be able to resolve and c onnect to cloud.example.com. All VPCs should be able to resolve cloud.example.co m. There is already an AWS Direct Connect connection b etween the on-premises corporate network and AWS Transit Gateway. Which architecture should the company use to meet t hese requirements with the HIGHEST performance?", "options": [ "A. Associate the private hosted zone to all the VPCs . Create a Route 53 inbound resolver in", "B. Associate the private hosted zone to all the VPCs . Deploy an Amazon EC2 conditional", "C. Associate the private hosted zone to the shared s ervices VPCreate a Route 53 outbound", "D. Associate the private hosted zone to the shared s ervices VPC. Create a Route 53 inbound" ], "correct": "D. Associate the private hosted zone to the shared s ervices VPC. Create a Route 53 inbound", "explanation": "Explanation/Reference: Community vote distribution A (85%) D (15%)", "references": "" }, { "question": "Topic 1 A company is providing weather data over a REST-bas ed API to several customers. The API is hosted by Amazon API Gateway and is integrated with different AWS Lambda functions for each API operation. The company uses Amazon Route 53 for DNS and has created a resource record of weather.example.com. The company stores data for th e API in Amazon DynamoDB tables. The company needs a solution that will give the API the ability to fail over to a different AWS Region. Which solution will meet these requirements?", "options": [ "A. Deploy a new set of Lambda functions in a new Reg ion. Update the API Gateway API to use", "B. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route", "C. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route", "D. Deploy a new API Gateway API in a new Region. Cha nge the Lambda functions to global" ], "correct": "C. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route", "explanation": "Explanation/Reference: Community vote distribution C (99%) 1%", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations with a single OU n amed Production to manage multiple accounts. All accounts are members of the Productio n OU. Administrators use deny list SCPs in the root of the organization to manage access to re stricted services. The company recently acquired a new business unit a nd invited the new unit's existing AWS account to the organization. Once onboarded, the ad ministrators of the new business unit discovered that they are not able to update existin g AWS Config rules to meet the company's policies. Which option will allow administrators to make chan ges and continue to enforce the current policies without introducing additional long-term m aintenance?", "options": [ "A. Remove the organization's root SCPs that limit ac cess to AWS Config. Create AWS Service", "B. Create a temporary OU named Onboarding for the ne w account. Apply an SCP to the", "C. Convert the organization's root SCPs from deny li st SCPs to allow list SCPs to allow the", "D. Create a temporary OU named Onboarding for the ne w account. Apply an SCP to the", "A. Enable Aurora Auto Scaling for Aurora Replicas. U se a Network Load Balancer with the", "B. Enable Aurora Auto Scaling for Aurora writers. Us e an Application Load Balancer with the", "C. Enable Aurora Auto Scaling for Aurora Replicas. U se an Application Load Balancer with the", "D. Enable Aurora Scaling for Aurora writers. Use a N etwork Load Balancer with the least" ], "correct": "C. Enable Aurora Auto Scaling for Aurora Replicas. U se an Application Load Balancer with the", "explanation": "Explanation/Reference: Community vote distribution C (95%) 5%", "references": "" }, { "question": "Topic 1 A company uses a service to collect metadata from a pplications that the company hosts on premises. Consumer devices such as TVs and internet radios access the applications. Many older devices do not support certain HTTP headers and exh ibit errors when these headers are present in responses. The company has configured an on-premise s load balancer to remove the unsupported headers from responses sent to older devices, which the company identified by the User-Agent headers. The company wants to migrate the service to AWS, ad opt serverless technologies, and retain the ability to support the older devices. The company h as already migrated the applications into a set of AWS Lambda functions. Which solution will meet these requirements?", "options": [ "A. Create an Amazon CloudFront distribution for the metadata service. Create an Application", "B. Create an Amazon API Gateway REST API for the met adata service. Configure API Gateway", "C. Create an Amazon API Gateway HTTP API for the met adata service. Configure API \u00b7", "D. Create an Amazon CloudFront distribution for the metadata service. Create an Application" ], "correct": "B. Create an Amazon API Gateway REST API for the met adata service. Configure API Gateway", "explanation": "Explanation/Reference: Community vote distribution A (46%) D (27%) B (16%) 11%", "references": "" }, { "question": "Topic 1 A retail company needs to provide a series of data files to another company, which is its business partner. These files are saved in an Amazon S3 buck et under Account A, which belongs to the retail company. The business partner company wants one of its IAM users, User_DataProcessor, to access the files from its own AWS account (Account B). Which combination of steps must the companies take so that User_DataProcessor can access the S3 bucket successfully? (Choose two.)", "options": [ "A. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A.", "B. In Account A, set the S3 bucket policy to the fol lowing:", "C. In Account A, set the S3 bucket policy to the fol lowing:" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (64%) D (33%) 3%", "references": "" }, { "question": "Topic 1 A company is running a traditional web application on Amazon EC2 instances. The company needs to refactor the application as microservices that r un on containers. Separate versions of the application exist in two distinct environments: pro duction and testing. Load for the application is variable, but the minimum load and the maximum load are known. A solutions architect needs to design the updated application with a serverless ar chitecture that minimizes operational complexity. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Upload the container images to AWS Lambda as func tions. Configure a concurrency limit", "B. Upload the container images to Amazon Elastic Con tainer Registry (Amazon ECR).", "C. Upload the container images to Amazon Elastic Con tainer Registry (Amazon ECR).", "D. Upload the container images to AWS Elastic Beanst alk. In Elastic Beanstalk, create" ], "correct": "B. Upload the container images to Amazon Elastic Con tainer Registry (Amazon ECR).", "explanation": "Explanation/Reference: Community vote distribution B (84%) Other", "references": "" }, { "question": "Topic 1 A company has a multi-tier web application that run s on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances a re in an Auto Scaling group. The ALB and the Auto Scaling group are replicated in a backup AWS R egion. The minimum value and the maximum value for the Auto Scaling group are set to zero. A n Amazon RDS Multi-AZ DB instance stores the application's data. The DB instance has a read repl ica in the backup Region. The application presents an endpoint to end users by using an Amazo n Route 53 record. The company needs to reduce its RTO to less than 15 minutes by giving the application the ability to automatically fail over to the backup Region. Th e company does not have a large enough budget for an active-active strategy. What should a solutions architect recommend to meet these requirements? A. Reconfigure the application's Route 53 record wit h a latency-based routing policy that load \u00b7 balances traffic between the two ALBs. Create an AW S Lambda function in the backup Region to promote the read replica and modify the Auto Sca ling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Targ et_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.", "options": [ "B. Create an AWS Lambda function in the backup Regio n to promote the read replica and", "C. Configure the Auto Scaling group in the backup Re gion to have the same values as the", "D. Configure an endpoint in AWS Global Accelerator w ith the two ALBs as equal weighted" ], "correct": "B. Create an AWS Lambda function in the backup Regio n to promote the read replica and", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is hosting a critical application on a si ngle Amazon EC2 instance. The application uses an Amazon ElastiCache for Redis single-node cluster for an in-memory data store. The application uses an Amazon RDS for MariaDB DB instance for a re lational database. For the application to function, each piece of the infrastructure must be healthy and must be in an active state. A solutions architect needs to improve the applicat ion's architecture so that the infrastructure can automatically recover from failure with the least p ossible downtime. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Use an Elastic Load Balancer to distribute traffi c across multiple EC2 instances. Ensure", "B. Use an Elastic Load Balancer to distribute traffi c across multiple EC2 instances. Ensure", "C. Modify the DB instance to create a read replica i n the same Availability Zone. Promote the", "D. Modify the DB instance to create a Multi-AZ deplo yment that extends across two" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ADF (97%) 3%", "references": "" }, { "question": "Topic 1 A retail company is operating its ecommerce applica tion on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer ( ALB). The company uses an Amazon RDS DB instance as the database backend. Amazon CloudFront is configured with one origin that points to the ALB. Static content is cached. Amazon Route 53 is used to host all public zones. After an update of the application, the ALB occasio nally returns a 502 status code (Bad Gateway) error. The root cause is malformed HTTP headers tha t are returned to the ALB. The webpage returns successfully when a solutions architect rel oads the webpage immediately after the error occurs. While the company is working on the problem, the so lutions architect needs to provide a custom error page instead of the standard ALB error page t o visitors. Which combination of steps will meet this requireme nt with the LEAST amount of operational overhead? (Choose two.)", "options": [ "A. Create an Amazon S3 bucket. Configure the S3 buck et to host a static webpage. Upload", "B. Create an Amazon CloudWatch alarm to invoke an AW S Lambda function if the ALB health", "C. Modify the existing Amazon Route 53 records by ad ding health checks. Configure a", "D. Create an Amazon CloudWatch alarm to invoke an AW S Lambda function if the ALB health", "A. Create a transit gateway in the infrastructure ac count.", "B. Enable resource sharing from the AWS Organization s management account.", "C. Create VPCs in each AWS account within the organi zation in AWS Organizations. Configure", "D. Create a resource share in AWS Resource Access Ma nager in the infrastructure account." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (86%) 14%", "references": "" }, { "question": "Topic 1 A company wants to use a third-party software-as-a- service (SaaS) application. The third-party SaaS application is consumed through several API ca lls. The third-party SaaS application also runs on AWS inside a VPC. The company will consume the third-party SaaS appli cation from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege. Which solution meets these requirements?", "options": [ "A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint", "B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and", "C. Create a VPC peering connection between the third -party SaaS application and the \u00b7", "D. Create an AWS PrivateLink endpoint service. Ask t he third-party SaaS provider to create an" ], "correct": "A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint", "explanation": "Explanation/Reference: Community vote distribution A (93%) 7%", "references": "" }, { "question": "Topic 1 A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to perf orm patching. Management requires a single report showing the patch status of all the servers and instances. Which set of actions should a solutions architect t ake to meet these requirements?", "options": [ "A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2", "B. Use AWS OpsWorks to manage patches on the on-prem ises servers and EC2 instances.", "C. Use an Amazon EventBridge rule to apply patches b y scheduling an AWS Systems Manager", "D. Use AWS OpsWorks to manage patches on the on-prem ises servers and EC2 instances." ], "correct": "A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is running an application on several Amaz on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on th e application varies throughout the day, and EC2 instances are scaled in and out on a regular ba sis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances. Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?", "options": [ "A. Create a script to copy log files to Amazon S3, a nd store the script in a file on the EC2", "B. Create an AWS Systems Manager document with a scr ipt to copy log files to Amazon S3.", "C. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon", "D. Create an AWS Systems Manager document with a scr ipt to copy log files to Amazon S3." ], "correct": "B. Create an AWS Systems Manager document with a scr ipt to copy log files to Amazon S3.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is using multiple AWS accounts. The DNS r ecords are stored in a private hosted zone for Amazon Route 53 in Account A. The company's app lications and databases are running in Account B. A solutions architect will deploy a two-tier applic ation in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53. During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The s olutions architect confirmed that the record set was created correctly in Route 53. Which combination of steps should the solutions arc hitect take to resolve this issue? (Choose two.)", "options": [ "A. Deploy the database on a separate EC2 instance in the new VPC. Create a record set for", "B. Use SSH to connect to the application tier EC2 in stance. Add an RDS endpoint IP address", "C. Create an authorization to associate the private hosted zone in Account A with the new", "D. Create a private hosted zone for the example com domain in Account B. Configure Route" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CE (100%)", "references": "" }, { "question": "Topic 1 A company used Amazon EC2 instances to deploy a web fleet to host a blog site. The EC2 instances are behind an Application Load Balancer ( ALB) and are configured in an Auto Scaling group. The web application stores all blog content on an Amazon EFS volume. The company recently added a feature for bloggers t o add video to their posts, attracting 10 times the previous user traffic. At peak times of day, us ers report buffering and timeout issues while attempting to reach the site or watch videos. Which is the MOST cost-efficient and scalable deplo yment that will resolve the issues for users?", "options": [ "A. Reconfigure Amazon EFS to enable maximum I/O.", "B. Update the blog site to use instance store volume s for storage. Copy the site contents to", "C. Configure an Amazon CloudFront distribution. Poin t the distribution to an S3 bucket, and", "D. Set up an Amazon CloudFront distribution for all site contents, and point the distribution at" ], "correct": "C. Configure an Amazon CloudFront distribution. Poin t the distribution to an S3 bucket, and", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company with global offices has a single 1 Gbps A WS Direct Connect connection to a single AWS Region. The company's on-premises network uses the connection to communicate with the company's resources in the AWS Cloud. The connectio n has a single private virtual interface that connects to a single VPC. A solutions architect must implement a solution tha t adds a redundant Direct Connect connection in the same Region. The solution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company e xpands into other Regions. Which solution meets these requirements?", "options": [ "A. Provision a Direct Connect gateway. Delete the ex isting private virtual interface from the", "B. Keep the existing private virtual interface. Crea te the second Direct Connect connection.", "C. Keep the existing private virtual interface. Crea te the second Direct Connect connection.", "D. Provision a transit gateway. Delete the existing private virtual interface from the existing" ], "correct": "A. Provision a Direct Connect gateway. Delete the ex isting private virtual interface from the", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has a web application that allows users t o upload short videos. The videos are stored on Amazon EBS volumes and analyzed by custom recogn ition software for categorization. The website contains static content that has variab le traffic with peaks in certain months. The architecture consists of Amazon EC2 instances runni ng in an Auto Scaling group for the web application and EC2 instances running in an Auto Sc aling group to process an Amazon SQS queue. The company wants to re-architect the application t o reduce operational overhead using AWS managed services where possible and remove dependen cies on third-party software. Which solution meets these requirements?", "options": [ "A. Use Amazon ECS containers for the web application and Spot instances for the Auto", "B. Store the uploaded videos in Amazon EFS and mount the file system to the EC2 instances", "C. Host the web application in Amazon S3. Store the uploaded videos in Amazon S3. Use S3", "D. Use AWS Elastic Beanstalk to launch EC2 instances in an Auto Scaling group for the web" ], "correct": "D. Use AWS Elastic Beanstalk to launch EC2 instances in an Auto Scaling group for the web", "explanation": "Explanation/Reference: Community vote distribution C (87%) 13%", "references": "" }, { "question": "Topic 1 A company has a serverless application comprised of Amazon CloudFront, Amazon API Gateway, and AWS Lambda functions. The current deployment pr ocess of the application code is to create a new version number of the Lambda function and run a n AWS CLI script to update. If the new function version has errors, another CLI script rev erts by deploying the previous working version of the function. The company would like to decrease th e time to deploy new versions of the application logic provided by the Lambda functions, and also reduce the time to detect and revert when errors are identified. How can this be accomplished?", "options": [ "A. Create and deploy nested AWS CloudFormation stack s with the parent stack consisting of", "B. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually", "C. Refactor the AWS CLI scripts into a single script that deploys the new Lambda version.", "D. Create and deploy an AWS CloudFormation stack tha t consists of a new API Gateway" ], "correct": "B. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is planning to store a large number of ar chived documents and make the documents available to employees through the corporate intran et. Employees will access the system by connecting through a client VPN service that is att ached to a VPC. The data must not be accessible to the public. The documents that the company is storing are copie s of data that is held on physical media elsewhere. The number of requests will be low. Avai lability and speed of retrieval are not concerns of the company. Which solution will meet these requirements at the LOWEST cost?", "options": [ "A. Create an Amazon S3 bucket. Configure the S3 buck et to use the S3 One Zone-Infrequent", "B. Launch an Amazon EC2 instance that runs a web ser ver. Attach an Amazon Elastic File", "C. Launch an Amazon EC2 instance that runs a web ser ver Attach an Amazon Elastic Block", "D. Create an Amazon S3 bucket. Configure the S3 buck et to use the S3 Glacier Deep Archive" ], "correct": "D. Create an Amazon S3 bucket. Configure the S3 buck et to use the S3 Glacier Deep Archive", "explanation": "Explanation/Reference: Community vote distribution A (66%) D (33%) 1%", "references": "" }, { "question": "Topic 1 A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sig n in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN conne ctivity already exists between the on- premises environment and all the company's AWS acco unts. The company's security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a sin gle location. Which solution will meet these requirements?", "options": [ "A. Configure AWS IAM Identity Center (AWS Single Sig n-On) to connect to Active Directory by", "B. Configure AWS IAM Identity Center (AWS Single Sig n-On) by using IAM Identity Center as", "C. In one of the company's AWS accounts, configure A WS Identity and Access Management", "D. In one of the company's AWS accounts, configure A WS Identity and Access Management" ], "correct": "D. In one of the company's AWS accounts, configure A WS Identity and Access Management", "explanation": "Explanation Explanation/Reference: Community vote distribution A (78%) 9% 9%", "references": "" }, { "question": "Topic 1 A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions, and an Amazon Dynamo DB table. The application is showing an increase in the number of errors during PUT request s. Most of the PUT calls come from a small number of clients that are authenticated with speci fic API keys. A solutions architect has identified that a large n umber of the PUT requests originate from one client. The API is noncritical, and clients can tol erate retries of unsuccessful calls. However, the errors are displayed to customers and are causing d amage to the API's reputation. What should the solutions architect recommend to im prove the customer experience?", "options": [ "A. Implement retry logic with exponential backoff an d irregular variation in the client", "B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the", "C. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute", "D. Implement reserved concurrency at the Lambda func tion level to provide the resources" ], "correct": "B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the", "explanation": "Explanation/Reference: Community vote distribution B (71%) A (27%) 1%", "references": "" }, { "question": "Topic 1 A company is running a data-intensive application o n AWS. The application runs on a cluster of hundreds of Amazon EC2 instances. A shared file sys tem also runs on several EC2 instances that store 200 TB of data. The application reads and mod ifies the data on the shared file system and generates a report. The job runs once monthly, read s a subset of the files from the shared file system, and takes about 72 hours to complete. The c ompute instances scale in an Auto Scaling group, but the instances that host the shared file system run continuously. The compute and storage instances are all in the same AWS Region. A solutions architect needs to reduce costs by repl acing the shared file system instances. The file system must provide high performance access to the needed data for the duration of the 72-hour run. Which solution will provide the LARGEST overall cos t reduction while meeting these requirements?", "options": [ "A. Migrate the data from the existing shared file sy stem to an Amazon S3 bucket that uses", "B. Migrate the data from the existing shared file sy stem to a large Amazon Elastic Block Store", "C. Migrate the data from the existing shared file sy stem to an Amazon S3 bucket that uses", "D. Migrate the data from the existing shared file sy stem to an Amazon S3 bucket. Before the" ], "correct": "D. Migrate the data from the existing shared file sy stem to an Amazon S3 bucket. Before the", "explanation": "Explanation/Reference: Community vote distribution A (88%) 13%", "references": "" }, { "question": "Topic 1 A company is developing a new service that will be accessed using TCP on a static port. A solutions architect must ensure that the service is highly available, has redundancy across Availability Zones, and is accessible using the DNS name my.service.com, which is publicly accessible. The service must use fixed address assi gnments so other companies can add the addresses to their allow lists. Assuming that resources are deployed in multiple Av ailability Zones in a single Region, which solution will meet these requirements?", "options": [ "A. Create Amazon EC2 instances with an Elastic IP ad dress for each instance. Create a", "B. Create an Amazon ECS cluster and a service defini tion for the application. Create and", "C. Create Amazon EC2 instances for the service. Crea te one Elastic IP address for each", "D. Create an Amazon ECS cluster and a service defini tion for the application. Create and \u00b7" ], "correct": "C. Create Amazon EC2 instances for the service. Crea te one Elastic IP address for each", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company uses an on-premises data analytics platfo rm. The system is highly available in a fully redundant configuration across 12 servers in the co mpany's data center. The system runs scheduled jobs, both hourly and dai ly, in addition to one-time requests from users. Scheduled jobs can take between 20 minutes a nd 2 hours to finish running and have tight SLAs. The scheduled jobs account for 65% of the sys tem usage. User jobs typically finish running in less than 5 minutes and have no SLA. The user jo bs account for 35% of system usage. During system failures, scheduled jobs must continue to me et SLAs. However, user jobs can be delayed. A solutions architect needs to move the system to A mazon EC2 instances and adopt a consumption-based model to reduce costs with no lon g-term commitments. The solution must maintain high availability and must not affect the SLAs. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Split the 12 instances across two Availability Zo nes in the chosen AWS Region. Run two", "B. Split the 12 instances across three Availability Zones in the chosen AWS Region. In one of", "C. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two", "D. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run three" ], "correct": "C. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two", "explanation": "Explanation/Reference: Community vote distribution D (92%) 8%", "references": "" }, { "question": "Topic 1 A security engineer determined that an existing app lication retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the follow ing application design changes to improve security: The database must use strong, randomly generated pa sswords stored in a secure AWS managed service. The application resources must be deployed through AWS CloudFormation. The application must rotate credentials for the dat abase every 90 days. A solutions architect will generate a CloudFormatio n template to deploy the application. Which resources specified in the CloudFormation tem plate will meet the security engineer's requirements with the LEAST amount of operational o verhead?", "options": [ "A. Generate the database password as a secret resour ce using AWS Secrets Manager. Create", "B. Generate the database password as a SecureString parameter type using AWS Systems", "C. Generate the database password as a secret resour ce using AWS Secrets Manager. Create", "D. Generate the database password as a SecureString parameter type using AWS Systems" ], "correct": "B. Generate the database password as a SecureString parameter type using AWS Systems", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is storing data in several Amazon DynamoD B tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to de mand. Which solutions meet these requirements? (Choose tw o.)", "options": [ "A. Create an Amazon API Gateway REST API. Configure this API with direct integrations to", "B. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to", "C. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS", "D. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (79%) 10% 5%", "references": "" }, { "question": "Topic 1 A company has registered 10 new domain names. The c ompany uses the domains for online marketing. The company needs a solution that will r edirect online visitors to a specific URL for each domain. All domains and target URLs are define d in a JSON document. All DNS records are managed by Amazon Route 53. A solutions architect must implement a redirect ser vice that accepts HTTP and HTTPS requests. Which combination of steps should the solutions arc hitect take to meet these requirements with the LEAST amount of operational effort? (Choose thr ee.)", "options": [ "A. Create a dynamic webpage that runs on an Amazon E C2 instance. Configure the webpage", "B. Create an Application Load Balancer that includes HTTP and HTTPS listeners.", "C. Create an AWS Lambda function that uses the JSON document in combination with the", "D. Use an Amazon API Gateway API with a custom domai n to publish an AWS Lambda" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CEF (52%) BCF (33%) Other", "references": "" }, { "question": "Topic 1 A company that has multiple AWS accounts is using A WS Organizations. The company's AWS accounts host VPCs, Amazon EC2 instances, and conta iners. The company's compliance team has deployed a securi ty tool in each VPC where the company has deployments. The security tools run on EC2 instance s and send information to the AWS account that is dedicated for the compliance team. The comp any has tagged all the compliance-related resources with a key of \"costCenter\" and a value or \"compliance\". The company wants to identify the cost of the secur ity tools that are running on the EC2 instances so that the company can charge the compliance team' s AWS account. The cost calculation must be as accurate as possible. What should a solutions architect do to meet these requirements?", "options": [ "A. In the management account of the organization, ac tivate the costCenter user-defined tag.", "B. In the member accounts of the organization, activ ate the costCenter user-defined tag.", "C. In the member accounts of the organization activa te the costCenter user-defined tag. From", "D. Create a custom report in the organization view i n AWS Trusted Advisor. Configure the" ], "correct": "A. In the management account of the organization, ac tivate the costCenter user-defined tag.", "explanation": "Explanation/Reference: Community vote distribution A (95%) 5%", "references": "" }, { "question": "Topic 1 A company has 50 AWS accounts that are members of a n organization in AWS Organizations. Each account contains multiple VPCs. The company wants t o use AWS Transit Gateway to establish connectivity between the VPCs in each member accoun t. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment. Which combination of steps will meet these requirem ents? (Choose two.)", "options": [ "A. From the management account, share the transit ga teway with member accounts by using", "B. From the management account, share the transit ga teway with member accounts by using", "C. Launch an AWS CloudFormation stack set from the m anagement account that", "D. Launch an AWS CloudFormation stack set from the m anagement account that" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (100%)", "references": "" }, { "question": "Topic 1 An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizati ons account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team's policy indicates that developers should be able to obtain third-party software from an approved list o nly and use Private Marketplace in AWS Marketplace to achieve this requirement. The procur ement team wants administration of Private Marketplace to be restricted to a role named procur ement-manager-role, which could be assumed by procurement managers. Other IAM users, groups, r oles, and account administrators in the company should be denied Private Marketplace admini strative access. What is the MOST efficient way to design an archite cture to meet these requirements?", "options": [ "A. Create an IAM role named procurement-manager-role in all AWS accounts in the", "B. Create an IAM role named procurement-manager-role in all AWS accounts in the", "C. Create an IAM role named procurement-manager-role in all the shared services accounts in", "D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used", "A. Create an explicit deny statement for each AWS se rvice that should be constrained. \u00b7", "B. Remove the FullAWSAccess SCP from the developers account's OU.", "C. Modify the FullAWSAccess SCP to explicitly deny a ll services.", "D. Add an explicit deny statement using a wildcard t o the end of the SCP." ], "correct": "A. Create an explicit deny statement for each AWS se rvice that should be constrained. \u00b7", "explanation": "Explanation/Reference: Community vote distribution B (71%) D (22%) 6%", "references": "" }, { "question": "Topic 1 A company is hosting a monolithic REST-based API fo r a mobile app on five Amazon EC2 instances in public subnets of a VPC. Mobile clients connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing policy with the IP addresses of all the EC2 instanc es. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app has not been able to keep up with the traffic. A solutions architect needs to implement a solution so that the app can handle the new and varying load. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Separate the API into individual AWS Lambda funct ions. Configure an Amazon API", "B. Containerize the API logic. Create an Amazon Elas tic Kubernetes Service (Amazon EKS)", "C. Create an Auto Scaling group. Place all the EC2 i nstances in the Auto Scaling group.", "D. Create an Application Load Balancer (ALB) in fron t of the API. Move the EC2 instances to" ], "correct": "D. Create an Application Load Balancer (ALB) in fron t of the API. Move the EC2 instances to", "explanation": "Explanation/Reference: Community vote distribution A (48%) D (26%) C (26%)", "references": "" }, { "question": "A company has created an OU in AWS Organizations fo r each of its engineering teams. Each OU owns multiple AWS accounts. The organization has hu ndreds of AWS accounts. A solutions architect must design a solution so tha t each OU can view a breakdown of usage costs across its AWS accounts. Which solution meets these requirements?", "options": [ "A. Create an AWS Cost and Usage Report (CUR) for eac h OU by using AWS Resource Access", "B. Create an AWS Cost and Usage Report (CUR) from th e AWS Organizations management", "C. Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account.", "D. Create an AWS Cost and Usage Report (CUR) by usin g AWS Systems Manager. Allow each" ], "correct": "B. Create an AWS Cost and Usage Report (CUR) from th e AWS Organizations management", "explanation": "Explanation/Reference: Community vote distribution B (93%) 4%", "references": "" }, { "question": "Topic 1 A company is storing data on premises on a Windows file server. The company produces 5 GB of new data daily. The company migrated part of its Windows-based work load to AWS and needs the data to be available on a file system in the cloud. The compan y already has established an AWS Direct Connect connection between the on-premises network and AWS. Which data migration strategy should the company us e?", "options": [ "A. Use the file gateway option in AWS Storage Gatewa y to replace the existing Windows file", "B. Use AWS DataSync to schedule a daily task to repl icate data between the on-premises", "C. Use AWS Data Pipeline to schedule a daily task to replicate data between the on-premises", "D. Use AWS DataSync to schedule a daily task to repl icate data between the on-premises" ], "correct": "B. Use AWS DataSync to schedule a daily task to repl icate data between the on-premises", "explanation": "Explanation/Reference: Community vote distribution B (65%) A (35%)", "references": "" }, { "question": "Topic 1 A company's solutions architect is reviewing a web application that runs on AWS. The application references static assets in an Amazon S3 bucket in the us-east-1 Region. The company needs resiliency across multiple AWS Regions. The company already has created an S3 bucket in a second Region. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Configure the application to write each object to both S3 buckets. Set up an Amazon Route", "B. Create an AWS Lambda function to copy objects fro m the S3 bucket in us-east-1 to the S3", "C. Configure replication on the S3 bucket in us-east -1 to replicate objects to the S3 bucket in", "D. Configure replication on the S3 bucket in us-east -1 to replicate objects to the S3 bucket in" ], "correct": "D. Configure replication on the S3 bucket in us-east -1 to replicate objects to the S3 bucket in", "explanation": "Explanation/Reference: Community vote distribution C (95%) 2%", "references": "" }, { "question": "Topic 1 A company is hosting a three-tier web application i n an on-premises environment. Due to a recent surge in traffic that resulted in downtime and a si gnificant financial impact, company management has ordered that the application be moved to AWS. T he application is written in .NET and has a dependency on a MySQL database. A solutions archite ct must design a scalable and highly available solution to meet the demand of 200,000 da ily users. Which steps should the solutions architect take to design an appropriate solution?", "options": [ "A. Use AWS Elastic Beanstalk to create a new applica tion with a web server environment and", "B. Use AWS CloudFormation to launch a stack containi ng an Application Load Balancer (ALB)", "D. Use AWS CloudFormation to launch a stack containi ng an Application Load Balancer (ALB)" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (92%) 5%", "references": "" }, { "question": "Topic 1 A company is using AWS Organizations to manage mult iple AWS accounts. For security purposes, the company requires the creation of an Amazon Simp le Notification Service (Amazon SNS) topic that enables integration with a third-party alertin g system in all the Organizations member accounts. A solutions architect used an AWS CloudFormation te mplate to create the SNS topic and stack sets to automate the deployment of CloudFormation s tacks. Trusted access has been enabled in Organizations. What should the solutions architect do to deploy th e CloudFormation StackSets in all AWS accounts?", "options": [ "A. Create a stack set in the Organizations member ac counts. Use service-managed", "B. Create stacks in the Organizations member account s. Use self-service permissions. Set", "C. Create a stack set in the Organizations managemen t account. Use service-managed", "D. Create stacks in the Organizations management acc ount. Use service-managed", "A. Assess the existing applications by installing AW S Application Discovery Agent on the", "B. Assess the existing applications by installing AW S Systems Manager Agent on the physical", "C. Group servers into applications for migration by using AWS Systems Manager Application", "D. Group servers into applications for migration by using AWS Migration Hub." ], "correct": "C. Create a stack set in the Organizations managemen t account. Use service-managed", "explanation": "Explanation/Reference: Community vote distribution ADE (94%) 6%", "references": "" }, { "question": "Topic 1 A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. The service runs on Amazon EC2 instances in the pri vate subnets. An Application Load Balancer in the public subnets is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. The service u ses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 of data from an S3 bucket each day. The company has promoted the service as highly secu re. A solutions architect must reduce cloud expenditures as much as possible without compromisi ng the service's security posture or increasing the time spent on ongoing operations. Which solution will meet these requirements?", "options": [ "A. Replace the NAT gateways with NAT instances. In t he VPC route table, create a route from \u00b7", "B. Move the EC2 instances to the public subnets. Rem ove the NAT gateways.", "C. Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to", "D. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host" ], "correct": "C. Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company recently deployed an application on AWS. The application uses Amazon DynamoDB. The company measured the application load and confi gured the RCUs and WCUs on the DynamoDB table to match the expected peak load. The peak loa d occurs once a week for a 4-hour period and is double the average load. The application load is close to the average load for the rest of the week. The access pattern includes many more writes to the table than reads of the table. A solutions architect needs to implement a solution to minimize the cost of the table. Which solution will meet these requirements?", "options": [ "A. Use AWS Application Auto Scaling to increase capa city during the peak period. Purchase", "B. Configure on-demand capacity mode for the table.", "C. Configure DynamoDB Accelerator (DAX) in front of the table. Reduce the provisioned read", "D. Configure DynamoDB Accelerator (DAX) in front of the table. Configure on-demand" ], "correct": "D. Configure DynamoDB Accelerator (DAX) in front of the table. Configure on-demand", "explanation": "Explanation/Reference: Community vote distribution A (69%) B (19%) 13%", "references": "" }, { "question": "Topic 1 A solutions architect needs to advise a company on how to migrate its on-premises data processing application to the AWS Cloud. Currently, users upload input files through a web portal. The web server then stores the uploaded files on NA S and messages the processing server over a message queue. Each media file can take up to 1 hou r to process. The company has determined that the number of media files awaiting processing is significantly higher during business hours, with the number of files rapidly declining after bu siness hours. What is the MOST cost-effective migration recommend ation?", "options": [ "A. Create a queue using Amazon SQS. Configure the ex isting web server to publish to the new", "B. Create a queue using Amazon MQ. Configure the exi sting web server to publish to the new", "C. Create a queue using Amazon MQ. Configure the exi sting web server to publish to the new", "D. Create a queue using Amazon SQS. Configure the ex isting web server to publish to the new" ], "correct": "D. Create a queue using Amazon SQS. Configure the ex isting web server to publish to the new", "explanation": "Explanation/Reference: Community vote distribution D (96%) 2%", "references": "" }, { "question": "Topic 1 A company is using Amazon OpenSearch Service to ana lyze data. The company loads data into an OpenSearch Service cluster with 10 data nodes from an Amazon S3 bucket that uses S3 Standard storage. The data resides in the cluster for 1 mont h for read-only analysis. After 1 month, the company deletes the index that contains the data fr om the cluster. For compliance purposes, the company must retain a copy of all input data. The company is concerned about ongoing costs and as ks a solutions architect to recommend a new solution. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Replace all the data nodes with UltraWarm nodes t o handle the expected capacity.", "B. Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the", "C. Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the \u00b7", "D. Reduce the number of data nodes in the cluster to 2. Add instance-backed data nodes to" ], "correct": "B. Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the", "explanation": "Explanation/Reference: Community vote distribution B (94%) 6%", "references": "" }, { "question": "Topic 1 A company has 10 accounts that are part of an organ ization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU. The company has set up an Amazon EventBridge rule i n each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The compan y's security team is subscribed to the SNS topic. For all accounts in the NonProd OU, the security te am needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. Which solution will meet this requirement with the LEAST operational overhead?", "options": [ "A. Modify the EventBridge rule to invoke an AWS Lamb da function to remove the security", "B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd", "C. Configure an SCP to allow the ec2:AuthorizeSecuri tyGroupIngress action when the value of", "D. Configure an SCP to deny the ec2:AuthorizeSecurit yGroupIngress action when the value of", "A. For each webhook, create and configure an AWS Lam bda function URL. Update the Git", "B. Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate", "C. Deploy the webhook logic to AWS App Runner. Creat e an ALB, and set App Runner as the", "D. Containerize the webhook logic. Create an Amazon Elastic Container Service (Amazon" ], "correct": "C. Deploy the webhook logic to AWS App Runner. Creat e an ALB, and set App Runner as the", "explanation": "Explanation/Reference: Community vote distribution B (76%) 13% 11%", "references": "" }, { "question": "Topic 1 A company is planning to migrate 1,000 on-premises servers to AWS. The servers run on several VMware clusters in the company's data center. As pa rt of the migration plan, the company wants to gather server metrics such as CPU details, RAM u sage, operating system information, and running processes. The company then wants to query and analyze the data. Which solution will meet these requirements?", "options": [ "A. Deploy and configure the AWS Agentless Discovery Connector virtual appliance on the on-", "B. Export only the VM performance information from t he on-premises hosts. Directly import", "C. Create a script to automatically gather the serve r information from the on-premises hosts.", "D. Deploy the AWS Application Discovery Agent to eac h on-premises server. Configure Data" ], "correct": "C. Create a script to automatically gather the serve r information from the on-premises hosts.", "explanation": "Explanation/Reference: Community vote distribution D (91%) 9%", "references": "" }, { "question": "Topic 1 A company is building a serverless application that runs on an AWS Lambda function that is attached to a VPC. The company needs to integrate t he application with a new service from an external provider. The external provider supports o nly requests that come from public IPv4 addresses that are in an allow list. The company must provide a single public IP address to the external provider before the application can start using the new service. Which solution will give the application the abilit y to access the new service?", "options": [ "A. Deploy a NAT gateway. Associate an Elastic IP add ress with the NAT gateway. Configure", "B. Deploy an egress-only internet gateway. Associate an Elastic IP address with the egress-", "C. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway.", "D. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway." ], "correct": "C. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway.", "explanation": "Explanation/Reference: Community vote distribution A (96%) 3%", "references": "" }, { "question": "Topic 1 A solutions architect has developed a web applicati on that uses an Amazon API Gateway Regional endpoint and an AWS Lambda function. The consumers of the web application are all close to the AWS Region where the application will be deployed. The Lambda function only queries an Amazon Aurora MySQL database. The solutions architect has configured the database to have three read replicas. During testing, the application does not meet perfo rmance requirements. Under high load, the application opens a large number of database connec tions. The solutions architect must improve the application's performance. Which actions should the solutions architect take t o meet these requirements? (Choose two.)", "options": [ "A. Use the cluster endpoint of the Aurora database.", "B. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.", "C. Use the Lambda Provisioned Concurrency feature.", "D. Move the code for opening the database connection in the Lambda function outside of the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (98%) 2%", "references": "" }, { "question": "Topic 1 A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the we b server. Which solution will meet this requirement?", "options": [ "A. Place the EC2 instances behind an Application Loa d Balancer (ALB). Provision an SSL", "B. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS", "C. Place the EC2 instances behind an Application Loa d Balancer (ALB) Provision an SSL", "D. Place the EC2 instances behind a Network Load Bal ancer (NLB). Provision a third-party" ], "correct": "C. Place the EC2 instances behind an Application Loa d Balancer (ALB) Provision an SSL", "explanation": "Explanation/Reference: Community vote distribution C (53%) D (36%) 10%", "references": "" }, { "question": "Topic 1 A company wants to migrate its data analytics envir onment from on premises to AWS. The environment consists of two simple Node.js applicat ions. One of the applications collects sensor data and loads it into a MySQL database. The other application aggregates the data into reports. When the aggregation jobs run, some of the load job s fail to run correctly. The company must resolve the data loading issue. Th e company also needs the migration to occur without interruptions or changes for the company's customers. What should a solutions architect do to meet these requirements?", "options": [ "A. Set up an Amazon Aurora MySQL database as a repli cation target for the on-premises", "B. Set up an Amazon Aurora MySQL database. Use AWS D atabase Migration Service (AWS", "C. Set up an Amazon Aurora MySQL database. Use AWS D atabase Migration Service (AWS", "D. Set up an Amazon Aurora MySQL database. Create an Aurora Replica for the Aurora" ], "correct": "C. Set up an Amazon Aurora MySQL database. Use AWS D atabase Migration Service (AWS", "explanation": "Explanation/Reference: Community vote distribution C (95%) 5%", "references": "" }, { "question": "Topic 1 A health insurance company stores personally identi fiable information (PII) in an Amazon S3 bucket. The company uses server-side encryption wit h S3 managed encryption keys (SSE-S3) to encrypt the objects. According to a new requirement , all current and future objects in the S3 bucket must be encrypted by keys that the company's securi ty team manages. The S3 bucket does not have versioning enabled. Which solution will meet these requirements?", "options": [ "A. In the S3 bucket properties, change the default e ncryption to SSE-S3 with a customer", "B. In the S3 bucket properties, change the default e ncryption to server-side encryption with", "C. In the S3 bucket properties, change the default e ncryption to server-side encryption with", "D. In the S3 bucket properties, change the default e ncryption to AES-256 with a customer" ], "correct": "D. In the S3 bucket properties, change the default e ncryption to AES-256 with a customer", "explanation": "Explanation/Reference: Community vote distribution B (61%) D (39%) 1%", "references": "" }, { "question": "Topic 1 A company is running a web application in the AWS C loud. The application consists of dynamic content that is created on a set of Amazon EC2 inst ances. The EC2 instances run in an Auto Scaling group that is configured as a target group for an Application Load Balancer (ALB). The company is using an Amazon CloudFront distribut ion to distribute the application globally. The CloudFront distribution uses the ALB as an origin. The company uses Amazon Route 53 for DNS and has created an A record of www.example.com for the CloudFront distribution. A solutions architect must configure the applicatio n so that itis highly available and fault tolerant. Which solution meets these requirements?", "options": [ "A. Provision a full, secondary application deploymen t in a different AWS Region. Update the", "B. Provision an ALB, an Auto Scaling group, and EC2 instances in a different AWS Region.", "C. Provision an Auto Scaling group and EC2 instances in a different AWS Region. Create a", "D. Provision a full, secondary application deploymen t in a different AWS Region. Create a" ], "correct": "B. Provision an ALB, an Auto Scaling group, and EC2 instances in a different AWS Region.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site -to-Site VPN connections are configured between all of the company's global offices and the transit account. The company has AWS Config enabled on all of its accounts. The company's networking team needs to centrally ma nage a list of internal IP address ranges that belong to the global offices. Developers will refer ence this list to gain access to their applications securely. Which solution meets these requirements with the LE AST amount of operational overhead?", "options": [ "A. Create a JSON file that is hosted in Amazon S3 an d that lists all of the internal IP address", "B. Create a new AWS Config managed rule that contain s all of the internal IP address ranges.", "C. In the transit account, create a VPC prefix list with all of the internal IP address ranges.", "D. In the transit account, create a security group w ith all of the internal IP address ranges." ], "correct": "C. In the transit account, create a VPC prefix list with all of the internal IP address ranges.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "A company runs a new application as a static websit e in Amazon S3. The company has deployed the application to a production AWS account and use s Amazon CloudFront to deliver the website. The website calls an Amazon API Gateway REST API. A n AWS Lambda function backs each API method. The company wants to create a CSV report every 2 we eks to show each API Lambda function's recommended configured memory, recommended cost, an d the price difference between current configurations and the recommendations. The company will store the reports in an S3 bucket. Which solution will meet these requirements with th e LEAST development time?", "options": [ "A. Create a Lambda function that extracts metrics da ta for each API Lambda function from", "B. Opt in to AWS Compute Optimizer. Create a Lambda function that calls the", "C. Opt in to AWS Compute Optimizer. Set up enhanced infrastructure metrics. Within the", "D. Purchase the AWS Business Support plan for the pr oduction account. Opt in to AWS" ], "correct": "B. Opt in to AWS Compute Optimizer. Create a Lambda function that calls the", "explanation": "Explanation/Reference: Community vote distribution B (82%) Other", "references": "" }, { "question": "Topic 1 A company's factory and automation applications are running in a single VPC. More than 20 applications run on a combination of Amazon EC2, Am azon Elastic Container Service (Amazon ECS), and Amazon RDS. The company has software engineers spread across th ree teams. One of the three teams owns each application, and each time is responsible for the cost and performance of all of its applications. Team resources have tags that represe nt their application and team. The teams use IAM access for daily activities. The company needs to determine which costs on the m onthly AWS bill are attributable to each application or team. The company also must be able to create reports to compare costs from the last 12 months and to help forecast costs for the n ext 12 months. A solutions architect must recommend an AWS Billing and Cost Management soluti on that provides these cost reports. Which combination of actions will meet these requir ements? (Choose three.)", "options": [ "A. Activate the user-define cost allocation tags tha t represent the application and the team. \u00b7", "B. Activate the AWS generated cost allocation tags t hat represent the application and the", "C. Create a cost category for each application in Bi lling and Cost Management.", "D. Activate IAM access to Billing and Cost Managemen t." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (57%) ADF (43%)", "references": "" }, { "question": "Topic 1 An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. T he third party accepts only one public CIDR block in each client's allow list. The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an A pplication Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 insta nces are located in private subnets. NAT gateways provide internet access to the private sub nets. How should a solutions architect ensure that the we b application can continue to call the third- party API after the migration?", "options": [ "A. Associate a block of customer-owned public IP add resses to the VPC. Enable public IP", "B. Register a block of customer-owned public IP addr esses in the AWS account. Create", "C. Create Elastic IP addresses from the block of cus tomer-owned IP addresses. Assign the", "D. Register a block of customer-owned public IP addr esses in the AWS account. Set up AWS" ], "correct": "B. Register a block of customer-owned public IP addr esses in the AWS account. Create", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company with several AWS accounts is using AWS Or ganizations and service control policies (SCPs). An administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS account 1111-1111-1111: Developers working in account 1111-1111-1111 compla in that they cannot create Amazon S3 buckets. How should the administrator address this problem?", "options": [ "A. Add s3:CreateBucket with \"Allow\" effect to the SC P.", "B. Remove the account from the OU, and attach the SC P directly to account 1111-1111-1111.", "C. Instruct the developers to add Amazon S3 permissi ons to their IAM entities.", "D. Remove the SCP from account 1111-1111-1111." ], "correct": "C. Instruct the developers to add Amazon S3 permissi ons to their IAM entities.", "explanation": "Explanation/Reference: Community vote distribution C (88%) 12%", "references": "" }, { "question": "Topic 1 A company has a monolithic application that is crit ical to the company's business. The company hosts the application on an Amazon EC2 instance tha t runs Amazon Linux 2. The company's application team receives a directive from the lega l department to back up the data from the instance's encrypted Amazon Elastic Block Store (Am azon EBS) volume to an Amazon S3 bucket. The application team does not have the administrati ve SSH key pair for the instance. The application must continue to serve the users. Which solution will meet these requirements?", "options": [ "A. Attach a role to the instance with permission to write to Amazon S3. Use the AWS Systems", "B. Create an image of the instance with the reboot o ption turned on. Launch a new EC2", "C. Take a snapshot of the EBS volume by using Amazon Data Lifecycle Manager (Amazon", "D. Create an image of the instance. Launch a new EC2 instance from the image. Attach a role" ], "correct": "A. Attach a role to the instance with permission to write to Amazon S3. Use the AWS Systems", "explanation": "Explanation/Reference: Community vote distribution A (59%) C (40%) 1%", "references": "" }, { "question": "Topic 1 A solutions architect needs to copy data from an Am azon S3 bucket m an AWS account to a new S3 bucket in a new AWS account. The solutions archi tect must implement a solution that uses the AWS CLI. Which combination of steps will successfully copy t he data? (Choose three.)", "options": [ "A. Create a bucket policy to allow the source bucket to list its contents and to put objects and", "B. Create a bucket policy to allow a user in the des tination account to list the source bucket's", "C. Create an IAM policy in the source account. Confi gure the policy to allow a user in the", "D. Create an IAM policy in the destination account. Configure the policy to allow a user in the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDF (95%) 4%", "references": "" }, { "question": "Topic 1 A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production release of the web application introduced an issue that resulted in an outage lasting several minutes. A solutions architect must adjust the deployment process to support a canary release. Which solution will meet these requirements?", "options": [ "A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI", "B. Deploy the application into a new CloudFormation stack. Use an Amazon Route 53", "C. Create a version for every new deployed Lambda fu nction. Use the AWS CLI update-", "D. Configure AWS CodeDeploy and use CodeDeployDefaul t.OneAtATime in the Deployment" ], "correct": "A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI", "explanation": "Explanation/Reference: Community vote distribution A (98%) 2%", "references": "" }, { "question": "Topic 1 A finance company hosts a data lake in Amazon S3. T he company receives financial data records over SFTP each night from several third parties. Th e company runs its own SFTP server on an Amazon EC2 instance in a public subnet of a VPC. Af ter the files are uploaded, they are moved to the data lake by a cron job that runs on the same i nstance. The SFTP server is reachable on DNS sftp.example.com through the use of Amazon Route 53 . What should a solutions architect do to improve the reliability and scalability of the SFTP solution?", "options": [ "A. Move the EC2 instance into an Auto Scaling group. Place the EC2 instance behind an", "B. Migrate the SFTP server to AWS Transfer for SFTP. Update the DNS record \u00b7", "C. Migrate the SFTP server to a file gateway in AWS Storage Gateway. Update the DNS record", "D. Place the EC2 instance behind a Network Load Bala ncer (NLB). Update the DNS record" ], "correct": "B. Migrate the SFTP server to AWS Transfer for SFTP. Update the DNS record \u00b7", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate an application to Amazon EC2 from VMware Infrastructure that runs in an on-premises data center. A solutions architec t must preserve the software and configuration settings during the migration. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Configure the AWS DataSync agent to start replica ting the data store to Amazon FSx for", "B. Use the VMware vSphere client to export the appli cation as an image in Open Virtualization", "C. Configure AWS Storage Gateway for files service t o export a Common Internet File System", "D. Create a managed-instance activation for a hybrid environment in AWS Systems Manager." ], "correct": "D. Create a managed-instance activation for a hybrid environment in AWS Systems Manager.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A video processing company has an application that downloads images from an Amazon S3 bucket, processes the images, stores a transformed image in a second S3 bucket, and updates metadata about the image in an Amazon DynamoDB tabl e. The application is written in Node.js and runs by using an AWS Lambda function. The Lambd a function is invoked when a new image is uploaded to Amazon S3. The application ran without incident for a while. H owever, the size of the images has grown significantly. The Lambda function is now failing f requently with timeout errors. The function timeout is set to its maximum value. A solutions ar chitect needs to refactor the application's architecture to prevent invocation failures. The co mpany does not want to manage the underlying infrastructure. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Modify the application deployment by building a D ocker image that contains the", "B. Create a new Amazon Elastic Container Service (Am azon ECS) task definition with a", "C. Create an AWS Step Functions state machine with a Parallel state to invoke the Lambda", "D. Create a new Amazon Elastic Container Service (Am azon ECS) task definition with a" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AB (89%) 5%", "references": "" }, { "question": "Topic 1 A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a po licy that will detect Amazon RDS DB instances that are not encrypted at rest in the com pany's production OU. Which solution will meet this requirement?", "options": [ "A. Turn on mandatory guardrails in AWS Control Tower . Apply the mandatory guardrails to the", "B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS", "C. Use AWS Config to create a new mandatory guardrai l. Apply the rule to all accounts in the \u00b7", "D. Create a custom SCP in AWS Control Tower. Apply t he SCP to the production OU." ], "correct": "B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS", "explanation": "Explanation/Reference: Community vote distribution B (95%) 5%", "references": "" }, { "question": "Topic 1 A startup company hosts a fleet of Amazon EC2 insta nces in private subnets using the latest Amazon Linux 2 AMI. The company's engineers rely he avily on SSH access to the instances for troubleshooting. The company's existing architecture includes the fo llowing: \u00b7 A VPC with private and public subnets, and a NAT gateway. \u00b7 Site-to-Site VPN for connectivity with the on-pre mises environment. \u00b7 EC2 security groups with direct SSH access from t he on-premises environment. The company needs to increase security controls aro und SSH access and provide auditing of commands run by the engineers. Which strategy should a solutions architect use?", "options": [ "A. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all", "B. Update the EC2 security groups to only allow inbo und TCP on port 22 to the IP addresses", "C. Update the EC2 security groups to only allow inbo und TCP on port 22 to the IP addresses", "D. Create an IAM role with the AmazonSSMManagedInsta nceCore managed policy attached." ], "correct": "D. Create an IAM role with the AmazonSSMManagedInsta nceCore managed policy attached.", "explanation": "Explanation/Reference: Community vote distribution D (90%) 10%", "references": "" }, { "question": "Topic 1 A company that uses AWS Organizations allows develo pers to experiment on AWS. As part of the landing zone that the company has deployed, develop ers use their company email address to request an account. The company wants to ensure tha t developers are not launching costly services or running services unnecessarily. The com pany must give developers a fixed monthly budget to limit their AWS costs. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Create an SCP to set a fixed monthly account usag e limit. Apply the SCP to the developer", "B. Use AWS Budgets to create a fixed monthly budget for each developer's account as part of", "C. Create an SCP to deny access to costly services a nd components. Apply the SCP to the", "D. Create an IAM policy to deny access to costly ser vices and components. Apply the IAM" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BCF (80%) BDF (19%) 1%", "references": "" }, { "question": "Topic 1 A company has applications in an AWS account that i s named Source. The account is in an organization in AWS Organizations. One of the appli cations uses AWS Lambda functions and stores inventory data in an Amazon Aurora database. The application deploys the Lambda functions by using a deployment package. The compan y has configured automated backups for Aurora. The company wants to migrate the Lambda functions a nd the Aurora database to a new AWS account that is named Target. The application proce sses critical data, so the company must minimize downtime. Which solution will meet these requirements?", "options": [ "A. Download the Lambda function deployment package f rom the Source account. Use the", "B. Download the Lambda function deployment package f rom the Source account. Use the", "C. Use AWS Resource Access Manager (AWS RAM) to shar e the Lambda functions and the", "D. Use AWS Resource Access Manager (AWS RAM) to shar e the Lambda functions with the" ], "correct": "C. Use AWS Resource Access Manager (AWS RAM) to shar e the Lambda functions and the", "explanation": "Explanation/Reference: Community vote distribution B (97%) 3%", "references": "" }, { "question": "Topic 1 A company runs a Python script on an Amazon EC2 ins tance to process data. The script runs every 10 minutes. The script ingests files from an Amazon S3 bucket and processes the files. On average, the script takes approximately 5 minutes t o process each file The script will not reprocess a file that the script has already processed. The company reviewed Amazon CloudWatch metrics and noticed that the EC2 instance is idle for approximately 40% of the time because of the file p rocessing speed. The company wants to make the workload highly available and scalable. The com pany also wants to reduce long-term management overhead. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Migrate the data processing script to an AWS Lamb da function. Use an S3 event", "B. Create an Amazon Simple Queue Service (Amazon SQS ) queue. Configure Amazon S3 to", "C. Migrate the data processing script to a container image. Run the data processing container", "D. Migrate the data processing script to a container image that runs on Amazon Elastic" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution A (69%) D (31%)", "references": "" }, { "question": "Topic 1 A financial services company in North America plans to release a new online web application to its customers on AWS. The company will launch the appli cation in the us-east-1 Region on Amazon EC2 instances. The application must be highly avail able and must dynamically scale to meet user traffic. The company also wants to implement a disa ster recovery environment for the application in the us-west-1 Region by using active-passive fai lover. Which solution will meet these requirements?", "options": [ "A. Create a VPC in us-east-1 and a VPC in us-west-1. Configure VPC peering. In the us-east-1", "B. Create a VPC in us-east-1 and a VPC in us-west-1. In the us-east-1 VPC, create an", "C. Create a VPC in us-east-1 and a VPC in us-west-1. In the us-east-1 VPC, create an", "D. Create a VPC in us-east-1 and a VPC in us-west-1. Configure VPC peering. In the us-east-1" ], "correct": "C. Create a VPC in us-east-1 and a VPC in us-west-1. In the us-east-1 VPC, create an", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has an environment that has a single AWS account. A solutions architect is reviewing the environment to recommend what the company could improve specifically in terms of access to the AWS Management Console. The company's IT suppor t workers currently access the console for administrative tasks, authenticating with named IAM users that have been mapped to their job role. The IT support workers no longer want to maintain b oth their Active Directory and IAM user accounts. They want to be able to access the consol e by using their existing Active Directory credentials. The solutions architect is using AWS I AM Identity Center (AWS Single Sign-On) to implement this functionality. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in", "B. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in", "C. Create an organization in AWS Organizations. Turn on all features for the organization.", "D. Create an organization in AWS Organizations. Turn on all features for the organization." ], "correct": "D. Create an organization in AWS Organizations. Turn on all features for the organization.", "explanation": "Explanation/Reference: Community vote distribution D (82%) Other", "references": "" }, { "question": "Topic 1 A video streaming company recently launched a mobil e app for video sharing. The app uploads various files to an Amazon S3 bucket in the us-east -1 Region. The files range in size from 1 GB to 10 GB. Users who access the app from Australia have experi enced uploads that take long periods of time. Sometimes the files fail to completely upload for t hese users. A solutions architect must improve the app's performance for these uploads. Which solutions will meet these requirements? (Choo se two.)", "options": [ "A. Enable S3 Transfer Acceleration on the S3 bucket. Configure the app to use the Transfer", "B. Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region", "C. Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3", "D. Configure the app to break the video files into c hunks. Use a multipart upload to transfer" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (97%) 3%", "references": "" }, { "question": "Topic 1 An application is using an Amazon RDS for MySQL Mul ti-AZ DB instance in the us-east-1 Region. After a failover test, the application lost the con nections to the database and could not re-establish the connections. After a restart of the application , the application re-established the connections. A solutions architect must implement a solution so that the application can re-establish connections to the database without requiring a res tart. Which solution will meet these requirements?", "options": [ "A. Create an Amazon Aurora MySQL Serverless v1 DB in stance. Migrate the RDS DB instance", "B. Create an RDS proxy. Configure the existing RDS e ndpoint as a target. Update the", "C. Create a two-node Amazon Aurora MySQL DB cluster. Migrate the RDS DB instance to the", "D. Create an Amazon S3 bucket. Export the database t o Amazon S3 by using AWS Database", "A. Set up AWS IoT Core. For each device, create a co rresponding Amazon MQ queue and", "B. Create a Network Load Balancer (NLB) and configur e it with an AWS Lambda authorizer.", "C. Set up AWS IoT Core. For each device, create a co rresponding AWS IoT thing and provision", "D. Set up an Amazon API Gateway HTTP API and a Netwo rk Load Balancer (NLB). Create" ], "correct": "D. Set up an Amazon API Gateway HTTP API and a Netwo rk Load Balancer (NLB). Create", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company is running several workloads in a single AWS account. A new company policy states that engineers can provision only approved resource s and that engineers must use AWS CloudFormation to provision these resources. A solu tions architect needs to create a solution to enforce the new restriction on the IAM role that th e engineers use for access. What should the solutions architect do to create th e solution?", "options": [ "A. Upload AWS CloudFormation templates that contain approved resources to an Amazon S3", "B. Update the IAM policy for the engineers' IAM role with permissions to only allow", "C. Update the IAM policy for the engineers' IAM role with permissions to only allow AWS", "D. Provision resources in AWS CloudFormation stacks. Update the IAM policy for the" ], "correct": "B. Update the IAM policy for the engineers' IAM role with permissions to only allow", "explanation": "Explanation/Reference: Community vote distribution C (98%) 2%", "references": "" }, { "question": "Topic 1 A solutions architect is designing the data storage and retrieval architecture for a new application that a company will be launching soon. The applicat ion is designed to ingest millions of small records per minute from devices all around the worl d. Each record is less than 4 KB in size and needs to be stored in a durable location where it c an be retrieved with low latency. The data is ephemeral and the company is required to store the data for 120 days only, after which the data can be deleted. The solutions architect calculates that, during the course of a year, the storage requirements would be about 10-15 TB. Which storage strategy is the MOST cost-effective a nd meets the design requirements?", "options": [ "A. Design the application to store each incoming rec ord as a single .csv file in an Amazon S3", "B. Design the application to store each incoming rec ord in an Amazon DynamoDB table", "C. Design the application to store each incoming rec ord in a single table in an Amazon RDS", "D. Design the application to batch incoming records before writing them to an Amazon S3" ], "correct": "B. Design the application to store each incoming rec ord in an Amazon DynamoDB table", "explanation": "Explanation/Reference: Community vote distribution B (81%) D (19%)", "references": "" }, { "question": "Topic 1 A retail company is hosting an ecommerce website on AWS across multiple AWS Regions. The company wants the website to be operational at all times for online purchases. The website stores data in an Amazon RDS for MySQL DB instance. Which solution will provide the HIGHEST availabilit y for the database?", "options": [ "A. Configure automated backups on Amazon RDS. In the case of disruption, promote an", "B. Configure global tables and read replicas on Amaz on RDS. Activate the cross-Region", "C. Configure global tables and automated backups on Amazon RDS. In the case of disruption,", "D. Configure read replicas on Amazon RDS. In the cas e of disruption, promote a cross-Region" ], "correct": "D. Configure read replicas on Amazon RDS. In the cas e of disruption, promote a cross-Region", "explanation": "Explanation/Reference: Community vote distribution D (93%) 7%", "references": "" }, { "question": "Topic 1 Example Corp. has an on-premises data center and a VPC named VPC A in the Example Corp. AWS account. The on-premises network connects to VPC A through an AWS Site-To-Site VPN. The on- premises servers can properly access VPC A. Example Corp. just acquired AnyCompany, which has a VPC named VPC B. There is no IP address overlap a mong these networks. Example Corp. has peered VPC A and VPC B. Example Corp. wants to connect from its on-premise servers to VPC B. Example Corp. has properly set up the network ACL and security groups. Which solution will meet this requirement with the LEAST operational effort?", "options": [ "A. Create a transit gateway. Attach the Site-to-Site VPN, VPC A, and VPC B to the transit", "B. Create a transit gateway. Create a Site-to-Site V PN connection between the on-premises", "C. Update the route tables for the Site-to-Site VPN and both VPCs for all three networks.", "D. Modify the Site-to-Site VPN's virtual private gat eway definition to include VPC A and VPC" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution A (90%) 7%", "references": "" }, { "question": "Topic 1 A company recently completed the migration from an on-premises data center to the AWS Cloud by using a replatforming strategy. One of the migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical ap plication relies upon. The application sends outbound email messages to the company's customers. The legacy SMTP server does not support TLS encryption and uses TCP port 25. The applicatio n can use SMTP only. The company decides to use Amazon Simple Email Serv ice (Amazon SES) and to decommission the legacy SMTP server. The company has created and validated the SES domain. The company has lifted the SES limits. What should the company do to modify the applicatio n to send email messages from Amazon SES?", "options": [ "A. Configure the application to connect to Amazon SE S by using TLS Wrapper. Create an IAM", "B. Configure the application to connect to Amazon SE S by using STARTTLS. Obtain Amazon", "C. Configure the application to use the SES API to s end email messages. Create an IAM role", "D. Configure the application to use AWS SDKs to send email messages. Create an IAM user" ], "correct": "A. Configure the application to connect to Amazon SE S by using TLS Wrapper. Create an IAM", "explanation": "Explanation/Reference: Community vote distribution B (85%) Other", "references": "" }, { "question": "Topic 1 A company recently acquired several other companies . Each company has a separate AWS account with a different billing and reporting meth od. The acquiring company has consolidated all the accounts into one organization in AWS Organizat ions. However, the acquiring company has found it difficult to generate a cost report that c ontains meaningful groups for all the teams. The acquiring company's finance team needs a soluti on to report on costs for all the companies through a self-managed application. Which solution will meet these requirements?", "options": [ "A. Create an AWS Cost and Usage Report for the organ ization. Define tags and cost", "B. Create an AWS Cost and Usage Report for the organ ization. Define tags and cost", "C. Create an Amazon QuickSight dataset that receives spending information from the AWS", "D. Use the AWS Price List Query API to collect accou nt spending information. Create a" ], "correct": "D. Use the AWS Price List Query API to collect accou nt spending information. Create a", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company runs an IoT platform on AWS. IoT sensors in various locations send data to the company's Node.js API servers on Amazon EC2 instanc es running behind an Application Load Balancer. The data is stored in an Amazon RDS MySQL DB instance that uses a 4 TB General Purpose SSD volume. The number of sensors the company has deployed in t he field has increased over time, and is expected to grow significantly. The API servers are consistently overloaded and RDS metrics show high write latency. Which of the following steps together will resolve the issues permanently and enable growth as new sensors are provisioned, while keeping this pla tform cost-efficient? (Choose two.)", "options": [ "A. Resize the MySQL General Purpose SSD storage to 6 TB to improve the volume's IOPS.", "B. Re-architect the database tier to use Amazon Auro ra instead of an RDS MySQL DB instance", "C. Leverage Amazon Kinesis Data Streams and AWS Lamb da to ingest and process the raw", "D. Use AWS X-Ray to analyze and debug application is sues and add more API servers to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CE (67%) BC (18%) Other", "references": "" }, { "question": "Topic 1 A company is building an electronic document manage ment system in which users upload their documents. The application stack is entirely server less and runs on AWS in the eu-central-1 Region. The system includes a web application that uses an Amazon CloudFront distribution for delivery with Amazon S3 as the origin. The web appl ication communicates with Amazon API Gateway Regional endpoints. The API Gateway APIs ca ll AWS Lambda functions that store metadata in an Amazon Aurora Serverless database an d put the documents into an S3 bucket. The company is growing steadily and has completed a proof of concept with its largest customer. The company must improve latency outside of Europe. Which combination of actions will meet these requir ements? (Choose two.)", "options": [ "A. Enable S3 Transfer Acceleration on the S3 bucket. Ensure that the web application uses", "B. Create an accelerator in AWS Global Accelerator. Attach the accelerator to the CloudFront", "C. Change the API Gateway Regional endpoints to edge -optimized endpoints.", "D. Provision the entire stack in two other locations that are spread across the world. Use" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (58%) CD (32%) 6%", "references": "" }, { "question": "Topic 1 An adventure company has launched a new feature on its mobile app. Users can use the feature to upload their hiking and rafting photos and videos a nytime. The photos and videos are stored in Amazon S3 Standard storage in an S3 bucket and are served through Amazon CloudFront. The company needs to optimize the cost of the stora ge. A solutions architect discovers that most of the uploaded photos and videos are accessed infr equently after 30 days. However, some of the uploaded photos and videos are accessed frequently after 30 days. The solutions architect needs to implement a solution that maintains millisecond retrieval availability of the photos and videos at the lowest possible cost. Which solution will meet these requirements?", "options": [ "A. Configure S3 Intelligent-Tiering on the S3 bucket .", "B. Configure an S3 Lifecycle policy to transition im age objects and video objects from S3", "C. Replace Amazon S3 with an Amazon Elastic File Sys tem (Amazon EFS) file system that is", "D. Add a Cache-Control: max-age header to the S3 ima ge objects and S3 video objects. Set" ], "correct": "B. Configure an S3 Lifecycle policy to transition im age objects and video objects from S3", "explanation": "Explanation/Reference: Community vote distribution A (97%) 3%", "references": "" }, { "question": "Topic 1 A company uses Amazon S3 to store files and images in a variety of storage classes. The company's S3 costs have increased substantially dur ing the past year. A solutions architect needs to review data trends f or the past 12 months and identity the appropriate storage class for the objects. Which solution will meet these requirements?", "options": [ "A. Download AWS Cost and Usage Reports for the last 12 months of S3 usage. Review AWS", "B. Use S3 storage class analysis. Import data trends into an Amazon QuickSight dashboard to", "C. Use Amazon S3 Storage Lens. Upgrade the default d ashboard to include advanced metrics", "D. Use Access Analyzer for S3. Download the Access A nalyzer for S3 report for the last 12" ], "correct": "B. Use S3 storage class analysis. Import data trends into an Amazon QuickSight dashboard to", "explanation": "Explanation/Reference: Community vote distribution C (78%) 13% 10%", "references": "" }, { "question": "Topic 1 A company has its cloud infrastructure on AWS. A so lutions architect needs to define the infrastructure as code. The infrastructure is curre ntly deployed in one AWS Region. The company's business expansion plan includes deployments in mul tiple Regions across multiple AWS accounts. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Use AWS CloudFormation templates. Add IAM policie s to control the various accounts,", "B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management", "C. Use AWS Organizations and AWS CloudFormation Stac kSets. Deploy a Cloud Formation", "D. Use nested stacks with AWS CloudFormation templat es. Change the Region by using" ], "correct": "C. Use AWS Organizations and AWS CloudFormation Stac kSets. Deploy a Cloud Formation", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has its cloud infrastructure on AWS. A so lutions architect needs to define the infrastructure as code. The infrastructure is curre ntly deployed in one AWS Region. The company's business expansion plan includes deployments in mul tiple Regions across multiple AWS accounts. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Use AWS CloudFormation templates. Add IAM policie s to control the various accounts,", "B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management", "C. Use AWS Organizations and AWS CloudFormation Stac kSets. Deploy a Cloud Formation", "D. Use nested stacks with AWS CloudFormation templat es. Change the Region by using" ], "correct": "C. Use AWS Organizations and AWS CloudFormation Stac kSets. Deploy a Cloud Formation", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company plans to refactor a monolithic applicatio n into a modern application design deployed on AWS. The CI/CD pipeline needs to be upgraded to support the modern design for the application with the following requirements: \u00b7 It should allow changes to be released several ti mes every hour. \u00b7 It should be able to roll back the changes as qui ckly as possible. Which design will meet these requirements?", "options": [ "A. Deploy a CI/CD pipeline that incorporates AMIs to contain the application and their", "B. Specify AWS Elastic Beanstalk to stage in a secon dary environment as the deployment", "C. Use AWS Systems Manager to re-provision the infra structure for each deployment. Update", "D. Roll out the application updates as part of an Au to Scaling event using prebuilt AMIs. Use" ], "correct": "B. Specify AWS Elastic Beanstalk to stage in a secon dary environment as the deployment", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has an application that runs on Amazon EC 2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associ ated with the same security group. The DB cluster is associated with its own security group. The solutions architect needs to add rules to the s ecurity groups to provide the application with least privilege access to the DB Cluster. Which combination of steps will meet these requirem ents? (Choose two.)", "options": [ "A. Add an inbound rule to the EC2 instances' securit y group. Specify the DB cluster's security", "B. Add an outbound rule to the EC2 instances' securi ty group. Specify the DB cluster's", "C. Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security", "D. Add an outbound rule to the DB cluster's security group. Specify the EC2 instances'" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BC (76%) AC (24%)", "references": "" }, { "question": "Topic 1 A company wants to change its internal cloud billin g strategy for each of its business units. Currently, the cloud governance team shares reports for overall cloud spending with the head of each business unit. The company uses AWS Organizati ons to manage the separate AWS accounts for each business unit. The existing tagging standa rd in Organizations includes the application, environment, and owner. The cloud governance team w ants a centralized solution so each business unit receives monthly reports on its cloud spending. The solution should also send notifications for any cloud spending that exceeds a set threshold. Which solution is the MOST cost-effective way to me et these requirements?", "options": [ "A. Configure AWS Budgets in each account and configu re budget alerts that are grouped by", "B. Configure AWS Budgets in the organization's manag ement account and configure budget", "C. Configure AWS Budgets in each account and configu re budget alerts that are grouped by", "D. Enable AWS Cost and Usage Reports in the organiza tion's management account and" ], "correct": "B. Configure AWS Budgets in the organization's manag ement account and configure budget", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is using AWS CloudFormation to deploy its infrastructure. The company is concerned that, if a production CloudFormation stack is delet ed, important data stored in Amazon RDS databases or Amazon EBS volumes might also be delet ed. How can the company prevent users from accidentally deleting data in this way?", "options": [ "A. Modify the CloudFormation templates to add a Dele tionPolicy attribute to RDS and EBS", "B. Configure a stack policy that disallows the delet ion of RDS and EBS resources.", "C. Modify IAM policies lo deny deleting RDS and EBS resources that are tagged with an", "D. Use AWS Config rules to prevent deleting RDS and EBS resources." ], "correct": "A. Modify the CloudFormation templates to add a Dele tionPolicy attribute to RDS and EBS", "explanation": "Explanation/Reference: Community vote distribution A (85%) B (15%)", "references": "" }, { "question": "Topic 1 A company has VPC flow logs enabled for Its NAT gat eway. The company is seeing Action = ACCEPT for inbound traffic that comes from public I P address 198.51.100.2 destined for a private Amazon EC2 instance. A solutions architect must determine whether the tr affic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0. Which set of steps should the solutions architect t ake to meet these requirements?", "options": [ "A. Open the AWS CloudTrail console. Select the log g roup that contains the NAT gateway's", "B. Open the Amazon CloudWatch console. Select the lo g group that contains the NAT", "C. Open the AWS CloudTrail console. Select the log g roup that contains the NAT gateway's", "D. Open the Amazon CloudWatch console. Select the lo g group that contains the NAT" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (66%) D (34%)", "references": "" }, { "question": "Topic 1 A company consists or two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, t he company created an Amazon S3 bucket in each account and configured low-way replication bet ween the S3 buckets. The S3 buckets have millions of objects. Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored w ith encryption at rest. The company wants to implement server-side encryption with Amazon S3 man aged encryption keys (SSE-S3). What is the MOST operationally efficient solution t hat meets these requirements?", "options": [ "A. Turn on SSE-S3 on both S3 buckets. Use S3 Batch O perations to copy and encrypt the", "B. Create an AWS Key Management Service (AWS KMS) ke y in each account. Turn on server-", "C. Turn on SSE-S3 on both S3 buckets. Encrypt the ex isting objects by using an S3 copy", "D. Create an AWS Key Management Service, (AWS KMS) k ey in each account. Turn on server-" ], "correct": "C. Turn on SSE-S3 on both S3 buckets. Encrypt the ex isting objects by using an S3 copy", "explanation": "Explanation/Reference: Community vote distribution A (89%) 9%", "references": "" }, { "question": "Topic 1 A company is running an application in the AWS Clou d. The application collects and stores a large amount of unstructured data in an Amazon S3 bucket. The S3 bucket contains several terabytes of data and uses the S3 Standard storage class. The da ta increases in size by several gigabytes every day. The company needs to query and analyze the data. Th e company does not access data that is more than 1 year old. However, the company must ret ain all the data indefinitely for compliance reasons. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Use S3 Select to query the data. Create an S3 Lif ecycle policy to transition data that is", "B. Use Amazon Redshift Spectrum to query the data. C reate an S3 Lifecycle policy to", "C. Use an AWS Glue Data Catalog and Amazon Athena to query the data. Create an S3", "D. Use Amazon Redshift Spectrum to query the data. C reate an S3 Lifecycle policy to" ], "correct": "A. Use S3 Select to query the data. Create an S3 Lif ecycle policy to transition data that is", "explanation": "Explanation/Reference: Community vote distribution C (91%) 7%", "references": "" }, { "question": "Topic 1 A video processing company wants to build a machine learning (ML) model by using 600 TB of compressed data that is stored as thousands of file s in the company's on-premises network attached storage system. The company does not have the necessary compute resources on premises for ML experiments and wants to use AWS. The company needs to complete the data transfer to AWS within 3 weeks. The data transfer will be a one-time transfer. The data must be encrypted in transit. The measured upload speed of the company's internet connection is 100 Mbps. and mult iple departments share the connection. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Order several AWS Snowball Edge Storage Optimized devices by using the AWS", "B. Set up a 10 Gbps AWS Direct Connect connection be tween the company location and the", "C. Create a VPN connection between the on-premises n etwork attached storage and the", "D. Deploy an AWS Storage Gateway file gateway on pre mises. Configure the file gateway with" ], "correct": "A. Order several AWS Snowball Edge Storage Optimized devices by using the AWS", "explanation": "Explanation Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has migrated Its forms-processing applica tion to AWS. When users interact with the application, they upload scanned forms as files thr ough a web application. A database stores user metadata and references to files that are stored in Amazon S3. The web application runs on Amazon EC2 instances and an Amazon RDS for PostgreS QL database. When forms are uploaded, the application sends noti fications to a team through Amazon Simple Notification Service (Amazon SNS). A team member th en logs in and processes each form. The team member performs data validation on the form an d extracts relevant data before entering the information into another system that uses an API. A solutions architect needs to automate the manual processing of the forms. The solution must provide accurate form extraction. minimize time to market, and minimize tong-term operational overhead. Which solution will meet these requirements?", "options": [ "A. Develop custom libraries to perform optical chara cter recognition (OCR) on the forms.", "B. Extend the system with an application tier that u ses AWS Step Functions and AWS", "C. Host a new application tier on EC2 instances. Use this tier to call endpoints that host", "D. Extend the system with an application tier that u ses AWS Step Functions and AWS" ], "correct": "D. Extend the system with an application tier that u ses AWS Step Functions and AWS", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company is refactoring its on-premises order-proc essing platform in the AWS Cloud. The platform includes a web front end that is hosted on a fleet of VMs, RabbitMQ to connect the front end to the backend, and a Kubernetes cluster to run a containerized backend system to process the orders. The company does not want to make any m ajor changes to the application. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an AMI of the web server VM. Create an Ama zon EC2 Auto Scaling group that uses", "B. Create a custom AWS Lambda runtime to mimic the w eb server environment. Create an", "C. Create an AMI of the web server VM. Create an Ama zon EC2 Auto Scaling group that uses", "D. Create an AMI of the web server VM. Create an Ama zon EC2 Auto Scaling group that uses" ], "correct": "A. Create an AMI of the web server VM. Create an Ama zon EC2 Auto Scaling group that uses", "explanation": "Explanation/Reference: Community vote distribution A (93%) 7%", "references": "" }, { "question": "Topic 1 A solutions architect needs to implement a client-s ide encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The solutions architect created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose. The solutions architect created the following IAM p olicy and attached it to an IAM role: During tests, the solutions architect was able to s uccessfully get existing test objects in the S3 bucket. However, attempts to upload a new object re sulted in an error message. The error message stated that the action was forbidden. Which action must the solutions architect add to th e IAM policy to meet all the requirements?", "options": [ "A. kms:GenerateDataKey", "B. kms:GetKeyPolicy", "C. kms:GetPublicKey", "D. kms:Sign" ], "correct": "A. kms:GenerateDataKey", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has developed a web application. The comp any is hosting the application on a group of Amazon EC2 instances behind an Application Load Bal ancer. The company wants to improve the security posture of the application and plans to us e AWS WAF web ACLs. The solution must not adversely affect legitimate traffic to the applicat ion. How should a solutions architect configure the web ACLs to meet these requirements?", "options": [ "A. Set the action of the web ACL rules to Count. Ena ble AWS WAF logging. Analyze the", "B. Use only rate-based rules in the web ACLs, and se t the throttle limit as high as possible.", "C. Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the", "D. Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS" ], "correct": "A. Set the action of the web ACL rules to Count. Ena ble AWS WAF logging. Analyze the", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has an organization that has many AWS acc ounts in AWS Organizations. A solutions architect must improve how the company manages comm on security group rules for the AWS accounts in the organization. The company has a common set of IP CIDR ranges in a n allow list in each AWS account to allow access to and from the company's on-premises networ k. Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list. The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts. Which solution meets these requirements with the LE AST amount of operational overhead?", "options": [ "A. Set up an Amazon Simple Notification Service (Ama zon SNS) topic in the security team's", "B. Create new customer-managed prefix lists in each AWS account within the organization.", "C. Create a new customer-managed prefix list in the security team's AWS account. Populate", "D. Create an IAM role in each account in the organiz ation. Grant permissions to update" ], "correct": "C. Create a new customer-managed prefix list in the security team's AWS account. Populate", "explanation": "Explanation/Reference: Community vote distribution C (88%) 12%", "references": "" }, { "question": "Topic 1 A company has introduced a new policy that allows e mployees to work remotely from their homes if they connect by using a VPN. The company is host ing internal applications with VPCs in multiple AWS accounts. Currently, the applications are acces sible from the company's on-premises office network through an AWS Site-to-Site VPN connection. The VPC in the company's main AWS account has peering connections established with VP Cs in other AWS accounts. A solutions architect must design a scalable AWS Cl ient VPN solution for employees to use while they work from home. What is the MOST cost-effective solution that meets these requirements?", "options": [ "A. Create a Client VPN endpoint in each AWS account. Configure required routing that allows", "B. Create a Client VPN endpoint in the main AWS acco unt. Configure required routing that", "C. Create a Client VPN endpoint in the main AWS acco unt. Provision a transit gateway that is", "D. Create a Client VPN endpoint in the main AWS acco unt. Establish connectivity between the", "A. Use an Amazon Simple Queue Service (Amazon SQS) q ueue to store events and invoke the", "B. Use an AWS Step Functions state machine to pass e vents to the Lambda function.", "C. Use an Amazon EventBridge rule to pass events to the Lambda function.", "D. Use an Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke" ], "correct": "A. Use an Amazon Simple Queue Service (Amazon SQS) q ueue to store events and invoke the", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is running applications on AWS in a multi -account environment. The company's sales team and marketing team use separate AWS accounts i n AWS Organizations. The sales team stores petabytes of data in an Amazo n S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The mark eting team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing tea m has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales", "B. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS", "C. Update the S3 bucket policy in the marketing acco unt to grant access to the QuickSight", "D. Create an IAM role in the sales account and grant access to the S3 bucket. From the" ], "correct": "D. Create an IAM role in the sales account and grant access to the S3 bucket. From the", "explanation": "Explanation/Reference: Community vote distribution D (67%) C (22%) 9%", "references": "" }, { "question": "Topic 1 A company is planning to migrate its business-criti cal applications from an on-premises data center to AWS. The company has an on-premises insta llation of a Microsoft SQL Server Always On cluster. The company wants to migrate to an AWS man aged database service. A solutions architect must design a heterogeneous database migr ation on AWS. Which solution will meet these requirements?", "options": [ "A. Migrate the SQL Server databases to Amazon RDS fo r MySQL by using backup and restore", "B. Use an AWS Snowball Edge Storage Optimized device to transfer data to Amazon S3. Set", "C. Use the AWS Schema Conversion Tool to translate t he database schema to Amazon RDS", "D. Use AWS DataSync to migrate data over the network between on-premises storage and" ], "correct": "C. Use the AWS Schema Conversion Tool to translate t he database schema to Amazon RDS", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A publishing company's design team updates the icon s and other static assets that an ecommerce web application uses. The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company's production account. The com pany also uses a development account that members of the design team can access. After the design team tests the static assets in th e development account, the design team needs to load the assets into the S3 bucket in the produc tion account. A solutions architect must provide the design team with access to the production accou nt without exposing other parts of the web application to the risk of unwanted changes. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. In the production account, create a new IAM polic y that allows read and write access to the", "B. In the development account, create a new IAM poli cy that allows read and write access to", "C. In the production account, create a role Attach t he new policy to the role. Define the", "D. In the development account, create a role. Attach the new policy to the role Define the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (95%) 5%", "references": "" }, { "question": "Topic 1 A company developed a pilot application by using AW S Elastic Beanstalk and Java. To save costs during development, the company's development team deployed the application into a single- instance environment. Recent tests indicate that th e application consumes more CPU than expected. CPU utilization is regularly greater than 85%, which causes some performance bottlenecks. A solutions architect must mitigate the performance issues before the company launches the application to production. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create a new Elastic Beanstalk application. Selec t a load-balanced environment type.", "B. Create a second Elastic Beanstalk environment. Ap ply the traffic-splitting deployment", "C. Modify the existing environment's capacity config uration to use a load-balanced", "D. Select the Rebuild environment action with the lo ad balancing option. Select an Availability" ], "correct": "A. Create a new Elastic Beanstalk application. Selec t a load-balanced environment type.", "explanation": "Explanation/Reference: Community vote distribution C (95%) 5%", "references": "" }, { "question": "Topic 1 A finance company is running its business-critical application on current-generation Linux EC2 instances. The application includes a self-managed MySQL database performing heavy I/O operations. The application is working fine to hand le a moderate amount of traffic during the month. However, it slows down during the final thre e days of each month due to month-end reporting, even though the company is using Elastic Load Balancers and Auto Scaling within its infrastructure to meet the increased demand. Which of the following actions would allow the data base to handle the month-end load with the LEAST impact on performance?", "options": [ "A. Pre-warming Elastic Load Balancers, using a bigge r instance type, changing all Amazon", "B. Performing a one-time migration of the database c luster to Amazon RDS, and creating", "C. Using Amazon CloudWatch with AWS Lambda to change the type, size, or IOPS of Amazon", "D. Replacing all existing Amazon EBS volumes with ne w PIOPS volumes that have the" ], "correct": "B. Performing a one-time migration of the database c luster to Amazon RDS, and creating", "explanation": "Explanation/Reference: Community vote distribution B (93%) 7%", "references": "" }, { "question": "Topic 1 A company runs a Java application that has complex dependencies on VMs that are in the company's data center. The application is stable. b ut the company wants to modernize the technology stack. The company wants to migrate the application to AWS and minimize the administrative overhead to maintain the servers. Which solution will meet these requirements with th e LEAST code changes?", "options": [ "A. Migrate the application to Amazon Elastic Contain er Service (Amazon ECS) on AWS", "B. Migrate the application code to a container that runs in AWS Lambda. Build an Amazon API", "C. Migrate the application to Amazon Elastic Kuberne tes Service (Amazon EKS) on EKS", "D. Migrate the application code to a container that runs in AWS Lambda. Configure Lambda" ], "correct": "B. Migrate the application code to a container that runs in AWS Lambda. Build an Amazon API", "explanation": "Explanation/Reference: Community vote distribution A (93%) 8%", "references": "" }, { "question": "Topic 1 A company has an asynchronous HTTP application that is hosted as an AWS Lambda function. A public Amazon API Gateway endpoint invokes the Lamb da function. The Lambda function and the API Gateway endpoint reside in the us-east-1 Region . A solutions architect needs to redesign the application to support failover to another AWS Regi on. Which solution will meet these requirements?", "options": [ "A. Create an API Gateway endpoint in the us-west-2 R egion to direct traffic to the Lambda", "B. Create an Amazon Simple Queue Service (Amazon SQS ) queue. Configure API Gateway to", "C. Deploy the Lambda function to the us-west-2 Regio n. Create an API Gateway endpoint in", "D. Deploy the Lambda function and an API Gateway end point to the us-west-2 Region." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution D (94%) 6%", "references": "" }, { "question": "Topic 1 A retail company has structured its AWS accounts to be part of an organization in AWS Organizations. The company has set up consolidated billing and has mapped its departments to the following OUs: Finance, Sales, Human Resources (HR), Marketing, and Operations. Each OU has multiple AWS accounts, one for each environment wit hin a department. These environments are development, test, pre-production, and production. The HR department is releasing a new system that wi ll launch in 3 months. In preparation, the HR department has purchased several Reserved Instances (RIs) in its production AWS account. The HR department will install the new application on t his account. The HR department wants to make sure that other departments cannot share the RI dis counts. Which solution will meet these requirements?", "options": [ "A. In the AWS Billing and Cost Management console fo r the HR department's production", "B. Remove the HR department's production AWS account from the organization. Add the", "C. In the AWS Billing and Cost Management console. u se the organization's management", "D. Create an SCP in the organization to restrict acc ess to the RIs. Apply the SCP to the OUs of" ], "correct": "C. In the AWS Billing and Cost Management console. u se the organization's management", "explanation": "Explanation/Reference: Community vote distribution C (79%) 10% 10%", "references": "" }, { "question": "Topic 1 A large company is running a popular web applicatio n. The application runs on several Amazon EC2 Linux instances in an Auto Scaling group in a p rivate subnet. An Application Load Balancer is targeting the instances in the Auto Scaling group i n the private subnet. AWS Systems Manager Session Manager is configured, and AWS Systems Mana ger Agent is running on all the EC2 instances. The company recently released a new version of the application. Some EC2 instances are now being marked as unhealthy and are being terminated. As a result, the application is running at reduced capacity. A solutions architect tries to de termine the root cause by analyzing Amazon CloudWatch logs that are collected from the applica tion, but the logs are inconclusive. How should the solutions architect gain access to a n EC2 instance to troubleshoot the issue?", "options": [ "A. Suspend the Auto Scaling group's HealthCheck scal ing process. Use Session Manager to", "B. Enable EC2 instance termination protection. Use S ession Manager to log in to an instance", "C. Set the termination policy to OldestInstance on t he Auto Scaling group. Use Session", "D. Suspend the Auto Scaling group's Terminate proces s. Use Session Manager to log in to an" ], "correct": "D. Suspend the Auto Scaling group's Terminate proces s. Use Session Manager to log in to an", "explanation": "Explanation/Reference: Community vote distribution D (93%) 7%", "references": "" }, { "question": "Topic 1 A company wants to deploy an AWS WAF solution to ma nage AWS WAF rules across multiple AWS accounts. The accounts are managed under different OUs in AWS Organizations. Administrators must be able to add or remove accoun ts or OUs from managed AWS WAF rule sets as needed. Administrators also must have the abilit y to automatically update and remediate noncompliant AWS WAF rules in all accounts. Which solution meets these requirements with the LE AST amount of operational overhead?", "options": [ "A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the", "B. Deploy an organization-wide AWS Config rule that requires all resources in the selected", "C. Create AWS WAF rules in the management account of the organization. Use AWS Lambda", "D. Use AWS Control Tower to manage AWS WAF rules acr oss accounts in the organization." ], "correct": "D. Use AWS Control Tower to manage AWS WAF rules acr oss accounts in the organization.", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A solutions architect is auditing the security setu p or an AWS Lambda function for a company. The Lambda function retrieves, the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lamb da environment variables are providing the database credentials to the Lambda function. The Lambda function aggregates data and makes the d ata available in an Amazon S3 bucket that is configured for server-side encryption with AWS K MS managed encryption keys (SSE-KMS). The data must not travel across the Internet. If any da tabase credentials become compromised, the company needs a solution that minimizes the impact of the compromise. What should the solutions architect recommend to me et these requirements?", "options": [ "A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the", "B. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the", "C. Save the database credentials in AWS Systems Mana ger Parameter Store. Set up password", "D. Save the database credentials in AWS Secrets Mana ger. Set up password rotation on the" ], "correct": "D. Save the database credentials in AWS Secrets Mana ger. Set up password rotation on the", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A large mobile gaming company has successfully migr ated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing t he environment to ensure that it was built according to the design and that it is running in a lignment with the Well-Architected Framework. While reviewing previous monthly costs in Cost Expl orer, the solutions architect notices that the creation and subsequent termination of several larg e instance types account for a high proportion of the costs. The solutions architect finds out tha t the company's developers are launching new Amazon EC2 instances as part of their testing and t hat the developers are not using the appropriate instance types. The solutions architect must implement a control me chanism to limit the instance types that only the developers can launch. Which solution will meet these requirements?", "options": [ "A. Create a desired-instance-type managed rule in AW S Config. Configure the rule with the", "B. In the EC2 console, create a launch template that specifies the instance types that are", "C. Create a new IAM policy. Specify the instance typ es that are allowed. Attach the policy to", "D. Use EC2 Image Builder to create an image pipeline for the developers and assist them in" ], "correct": "C. Create a new IAM policy. Specify the instance typ es that are allowed. Attach the policy to", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is developing and hosting several project s in the AWS Cloud. The projects are developed across multiple AWS accounts under the sa me organization in AWS Organizations. The company requires the cost for cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discove red that several Amazon EC2 instances are lacking the Project tag used for cost allocation. Which actions should a solutions architect lake to resolve the problem and prevent it from happening in the future? (Choose three.)", "options": [ "A. Create an AWS Config rule in each account to find resources with missing tags.", "B. Create an SCP in the organization with a deny act ion for ec2:RunInstances if the Project", "C. Use Amazon Inspector in the organization to find resources with missing tags.", "D. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABE (81%) Other", "references": "" }, { "question": "Topic 1 A company has an on-premises monitoring solution us ing a PostgreSQL database for persistence of events. The database is unable to scale due to h eavy ingestion and it frequently runs out of storage. The company wants to create a hybrid solution and h as already set up a VPN connection between its network and AWS. The solution should include th e following attributes: \u00b7 Managed AWS services to minimize operational comp lexity. \u00b7 A buffer that automatically scales to match the t hroughput of data and requires no ongoing administration. \u00b7 A visualization tool to create dashboards to obse rve events in near-real time. \u00b7 Support for semi-structured JSON data and dynamic schemas. Which combination of components will enable the com pany to create a monitoring solution that will satisfy these requirements? (Choose two.)", "options": [ "A. Use Amazon Kinesis Data Firehose to buffer events . Create an AWS Lambda function to", "B. Create an Amazon Kinesis data stream to buffer ev ents. Create an AWS Lambda function", "C. Configure an Amazon Aurora PostgreSQL DB cluster to receive events. Use Amazon", "D. Configure Amazon Elasticsearch Service (Amazon ES ) to receive events. Use the Kibana" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (92%) 5%", "references": "" }, { "question": "Topic 1 A team collects and routes behavioral data for an e ntire company. The company runs a Multi-AZ VPC environment with public subnets, private subnet s, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company's applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets. A solutions architect must review the infrastructur e. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Enable VPC Flow Logs. Use Amazon Athena to analyz e the logs for traffic that can be", "B. Add an interface VPC endpoint for Kinesis Data St reams to the VPC. Ensure that", "C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is", "D. Add an interface VPC endpoint for Kinesis Data St reams to the VPC. Ensure that the VPC" ], "correct": "D. Add an interface VPC endpoint for Kinesis Data St reams to the VPC. Ensure that the VPC", "explanation": "Explanation/Reference: Community vote distribution D (92%) 8%", "references": "" }, { "question": "Topic 1 A retail company has an on-premises data center in Europe. The company also has a multi-Region AWS presence that includes the eu-west-1 and us-eas t-1 Regions. The company wants to be able to route network traffic from its on-premises infra structure into VPCs in either of those Regions. The company also needs to support traffic that is r outed directly between VPCs in those Regions. No single points of failure can exist on the networ k. The company already has created two 1 Gbps AWS Dire ct Connect connections from its on- premises data center. Each connection goes into a s eparate Direct Connect location in Europe for high availability. These two locations are named DX -A and DX-B, respectively. Each Region has a single AWS Transit Gateway that is configured to ro ute all inter-VPC traffic within that Region. Which solution will meet these requirements?", "options": [ "A. Create a private VIF from the DX-A connection int o a Direct Connect gateway. Create a", "B. Create a transit VIF from the DX-A connection int o a Direct Connect gateway. Associate the", "C. Create a transit VIF from the DX-A connection int o a Direct Connect gateway. Create a", "D. Create a transit VIF from the DX-A connection int o a Direct Connect gateway. Create a" ], "correct": "A. Create a private VIF from the DX-A connection int o a Direct Connect gateway. Create a", "explanation": "Explanation/Reference: Community vote distribution D (95%) 3%", "references": "" }, { "question": "Topic 1 A company is running an application in the AWS Clou d. The company's security team must approve the creation of all new IAM users. When a new IAM u ser is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Create an Amazon EventBridge (Amazon CloudWatch E vents) rule. Define a pattern with", "B. Configure CloudTrail to send a notification for t he CreateUser event to an Amazon Simple", "C. Invoke a container that runs in Amazon Elastic Co ntainer Service (Amazon ECS) with AWS", "D. Invoke an AWS Step Functions state machine to rem ove access.", "A. Deploy a landing zone environment by using AWS Co ntrol Tower. Enroll accounts and invite", "B. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings", "C. Create transit gateways and transit gateway VPC a ttachments in each account. Configure", "D. Set up and enable AWS IAM Identity Center (AWS Si ngle Sign-On). Create appropriate" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACD (100%)", "references": "" }, { "question": "Topic 1 A company runs its application in the eu-west-1 Reg ion and has one account for each of its environments: development, testing, and production. All the environments are running 24 hours a day, 7 days a week by using stateful Amazon EC2 ins tances and Amazon RDS for MySQL databases. The databases are between 500 GB and 800 GB in size. The development team and testing team work on busin ess days during business hours, but the production environment operates 24 hours a day, 7 d ays a week. The company wants to reduce costs. All resources are tagged with an environment tag with either development, testing, or production as the key. What should a solutions architect do to reduce cost s with the LEAST operational effort?", "options": [ "A. Create an Amazon EventBridge rule that runs once every day. Configure the rule to invoke", "B. Create an Amazon EventBridge rule that runs every business day in the evening. Configure", "C. Create an Amazon EventBridge rule that runs every business day in the evening, Configure", "D. Create an Amazon EventBridge rule that runs every hour. Configure the rule to invoke one" ], "correct": "A. Create an Amazon EventBridge rule that runs once every day. Configure the rule to invoke", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is building a software-as-a-service (SaaS ) solution on AWS. The company has deployed an Amazon API Gateway REST API with AWS Lambda inte gration in multiple AWS Regions and in the same production account. The company offers tiered pricing that gives custom ers the ability to pay for the capacity to make a certain number of API calls per second. The premi um tier offers up to 3,000 calls per second, and customers are identified by a unique API key. Sever al premium tier customers in various Regions report that they receive error responses of 429 Too Many Requests from multiple API methods during peak usage hours. Logs indicate that the Lam bda function is never invoked. What could be the cause of the error messages for t hese customers?", "options": [ "A. The Lambda function reached its concurrency limit .", "B. The Lambda function its Region limit for concurre ncy.", "C. The company reached its API Gateway account limit for calls per second.", "D. The company reached its API Gateway default per-m ethod limit for calls per second." ], "correct": "C. The company reached its API Gateway account limit for calls per second.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company's security t eam is concerned about how to integrate the security tool with AWS technology. The company plans to deploy the application migrati on to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a de dicated VPC. The company needs to use the security tool to inspect all packets that come in a nd out of the VPC. This inspection must occur in real time and must not affect the application's per formance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Deploy the security tool on EC2 instances m a new Auto Scaling group in the existing VPC", "B. Deploy the web application behind a Network Load Balancer", "C. Deploy an Application Load Balancer in front of t he security tool instances", "D. Provision a Gateway Load Balancer for each Availa bility Zone to redirect the traffic to the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (56%) DE (41%) 2%", "references": "" }, { "question": "Topic 1 A company has purchased appliances from different v endors. The appliances all have IoT sensors. The sensors send status information in the vendors' proprietary formats to a legacy application that parses the information into JSON. The parsing is simple, but each vendor has a unique format. Once daily, the application parses all the JSON rec ords and stores the records in a relational database for analysis. The company needs to design a new data analysis sol ution that can deliver faster and optimize costs. Which solution will meet these requirements?", "options": [ "A. Connect the IoT sensors to AWS IoT Core. Set a ru le to invoke an AWS Lambda function to", "B. Migrate the application server to AWS Fargate, wh ich will receive the information from IoT", "C. Create an AWS Transfer for SFTP server. Update th e IoT sensor code to send the \u00b7", "D. Use AWS Snowball Edge to collect data from the Io T sensors directly to perform local" ], "correct": "C. Create an AWS Transfer for SFTP server. Update th e IoT sensor code to send the \u00b7", "explanation": "Explanation/Reference: Community vote distribution A (81%) B (19%)", "references": "" }, { "question": "Topic 1 A company is migrating some of its applications to AWS. The company wants to migrate and modernize the applications quickly after it finaliz es networking and security strategies. The company has set up an AWS Direct Connect connection in a central network account. The company expects to have hundreds of AWS account s and VPCs in the near future. The corporate network must be able to access the resour ces on AWS seamlessly and also must be able to communicate with all the VPCs. The company also wants to route its cloud resources to the internet through its on-premises data center. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Create a Direct Connect gateway in the central ac count. In each of the accounts, create an", "B. Create a Direct Connect gateway and a transit gat eway in the central network account.", "C. Provision an internet gateway. Attach the interne t gateway to subnets. Allow internet", "D. Share the transit gateway with other accounts. At tach VPCs to the transit gateway." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDF (100%)", "references": "" }, { "question": "Topic 1 A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instan ces and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team fo r procurement. Previously, business units directly purchased or modified Reserved Instances i n their own respective AWS accounts autonomously. A solutions architect needs to enforce the new proc ess in the most secure way possible. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Ensure that all AWS accounts are part of an organ ization in AWS Organizations with all", "B. Use AWS Config to report on the attachment of an IAM policy that denies access to the", "C. In each AWS account, create an IAM policy that de nies the", "D. Create an SCP that denies the ec2:PurchaseReserve dInstancesOffering action and the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (100%)", "references": "" }, { "question": "Topic 1 A company is running a critical application that us es an Amazon RDS for MySQL database to store data. The RDS DB instance is deployed in Multi-AZ m ode. A recent RDS database failover test caused a 40-sec ond outage to the application. A solutions architect needs to design a solution to reduce the outage time to less than 20 seconds. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose three.)", "options": [ "A. Use Amazon ElastiCache for Memcached in front of the database", "B. Use Amazon ElastiCache for Redis in front of the database", "C. Use RDS Proxy in front of the database.", "D. Migrate the database to Amazon Aurora MySQL." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CDE (92%) 8%", "references": "" }, { "question": "Topic 1 An AWS partner company is building a service in AWS Organizations using its organization named org1. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2. The company must establish least privilege security access using an API or command l ine tool to the customer account. What is the MOST secure way to allow org1 to access resources in org2?", "options": [ "A. The customer should provide the partner company w ith their AWS account access keys to", "B. The customer should create an IAM user and assign the required permissions to the IAM", "C. The customer should create an IAM role and assign the required permissions to the IAM", "D. The customer should create an IAM role and assign the required permissions to the IAM" ], "correct": "D. The customer should create an IAM role and assign the required permissions to the IAM", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A delivery company needs to migrate its third-party route planning application to AWS. The third party supplies a supported Docker image from a publ ic registry. The image can run in as many containers as required to generate the route map. The company has divided the delivery area into sect ions with supply hubs so that delivery drivers travel the shortest distance possible from the hubs to the customers. To reduce the time necessary to generate route maps, each section uses its own set of Docker containers with a custom configuration that processes orders only in the section's area. The company needs the ability to allocate resources cost-effectively based on the number of running containers. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an Amazon Elastic Kubernetes Service (Amaz on EKS) cluster on Amazon EC2. Use", "B. Create an Amazon Elastic Kubernetes Service (Amaz on EKS) cluster on AWS Fargate. Use", "C. Create an Amazon Elastic Container Service (Amazo n ECS) cluster on Amazon EC2. Use", "D. Create an Amazon Elastic Container Service (Amazo n ECS) cluster on AWS Fargate. Use" ], "correct": "D. Create an Amazon Elastic Container Service (Amazo n ECS) cluster on AWS Fargate. Use", "explanation": "Explanation/Reference: Community vote distribution D (80%) B (20%)", "references": "" }, { "question": "Topic 1 A software company hosts an application on AWS with resources in multiple AWS accounts and Regions. The application runs on a group of Amazon EC2 instances in an application VPC located in the us-east-1 Region with an IPv4 CIDR block of 10.10.0.0/16. In a different AWS account, a shared services VPC is located in the us-east-2 Reg ion with an IPv4 CIDR block of 10.10.10.0/24. When a cloud engineer uses AWS CloudFormation to at tempt to peer the application VPC with the shared services VPC, an error message indicates a p eering failure. Which factors could cause this error? (Choose two.)", "options": [ "A. The IPv4 CIDR ranges of the two VPCs overlap", "B. The VPCs are not in the same Region", "C. One or both accounts do not have access to an Int ernet gateway", "D. One of the VPCs was not shared through AWS Resour ce Access Manager" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AE (86%) 14%", "references": "" }, { "question": "Topic 1 An external audit of a company's serverless applica tion reveals IAM policies that grant too many permissions. These policies are attached to the com pany's AWS Lambda execution roles. Hundreds of the company's Lambda functions have bro ad access permissions such as full access to Amazon S3 buckets and Amazon DynamoDB tables. Th e company wants each function to have only the minimum permissions that the function need s to complete its task. A solutions architect must determine which permissi ons each Lambda function needs. What should the solutions architect do to meet this requirement with the LEAST amount of effort?", "options": [ "A. Set up Amazon CodeGuru to profile the Lambda func tions and search for AWS API calls.", "B. Turn on AWS CloudTrail logging for the AWS accoun t. Use AWS Identity and Access", "C. Turn on AWS CloudTrail logging for the AWS accoun t. Create a script to parse the", "D. Turn on AWS CloudTrail logging for the AWS accoun t. Export the CloudTrail logs to" ], "correct": "B. Turn on AWS CloudTrail logging for the AWS accoun t. Use AWS Identity and Access", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A solutions architect must analyze a company's Amaz on EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes to determine whether the company is using resources efficiently. The company is running several large, high-memory EC2 i nstances to host database clusters that are deployed in active/passive configurations. The util ization of these EC2 instances varies by the applications that use the databases, and the compan y has not identified a pattern. The solutions architect must analyze the environmen t and take action based on the findings. Which solution meets these requirements MOST cost-e ffectively?", "options": [ "A. Create a dashboard by using AWS Systems Manager O psCenter. Configure visualizations", "B. Turn on Amazon CloudWatch detailed monitoring for the EC2 instances and their EBS", "C. Install the Amazon CloudWatch agent on each of th e EC2 instances. Turn on AWS", "D. Sign up for the AWS Enterprise Support plan. Turn on AWS Trusted Advisor. Wait 12 hours." ], "correct": "C. Install the Amazon CloudWatch agent on each of th e EC2 instances. Turn on AWS", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations for a multi-accoun t setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts. In an AWS application account, the company's applic ation team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 insta nce that is deployed in the DBA account to access an RDS database that is deployed m the appli cation account. The application team has stored the database creden tials as secrets in AWS Secrets Manager in the application account. The application team is ma nually sharing the secrets with the database administrators. The secrets are encrypted by the de fault AWS managed key for Secrets Manager in the application account. A solutions architect need s to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets. Which solution will meet these requirements?", "options": [ "A. Use AWS Resource Access Manager (AWS RAM) to shar e the secrets from the application", "B. In the application account, create an IAM role th at is named DBA-Secret. Grant the role the", "C. In the DBA account create an IAM role that is nam ed DBA-Admin. Grant the role the", "D. In the DBA account, create an IAM role that is na med DBA-Admin. Grant the role the" ], "correct": "A. Use AWS Resource Access Manager (AWS RAM) to shar e the secrets from the application", "explanation": "Explanation/Reference: Community vote distribution B (82%) Other", "references": "" }, { "question": "Topic 1 A company manages multiple AWS accounts by using AW S Organizations. Under the root OU, the company has two OUs: Research and DataOps. Because of regulatory requirements, all resources t hat the company deploys in the organization must reside in the ap-northeast-1 Region. Additiona lly, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instan ce types. A solutions architect must implement a solution tha t applies these restrictions. The solution must maximize operational efficiency and must minimize o ngoing maintenance. Which combination of steps will meet these requirem ents? (Choose two.)", "options": [ "A. Create an IAM role in one account under the DataO ps OU. Use the ec2:InstanceType", "B. Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion", "C. Create an SCP. Use the aws:RequestedRegion condit ion key to restrict access to all AWS", "D. Create an SCP. Use the ec2:Region condition key t o restrict access to all AWS Regions", "A. Deploy the SQS queue with the Lambda function to other Regions.", "B. Subscribe the SNS topic in each Region to the SQS queue.", "C. Subscribe the SQS queue in each Region to the SNS topic.", "D. Configure the SQS queue to publish URLs to SNS to pics in each Region." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (100%)", "references": "" }, { "question": "Topic 1 A company runs a proprietary stateless ETL applicat ion on an Amazon EC2 Linux instances. The application is a Linux binary, and the source code cannot be modified. The application is single- threaded, uses 2 GB of RAM, and is highly CPU inten sive. The application is scheduled to run every 4 hours and runs for up to 20 minutes. A solutions architect wants to revise the architecture for the solution. Which strategy should the solutions architect use?", "options": [ "A. Use AWS Lambda to run the application. Use Amazon CloudWatch Logs to invoke the", "B. Use AWS Batch to run the application. Use an AWS Step Functions state machine to invoke", "C. Use AWS Fargate to run the application. Use Amazo n EventBridge (Amazon CloudWatch", "D. Use Amazon EC2 Spot Instances to run the applicat ion. Use AWS CodeDeploy to deploy" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (88%) 12%", "references": "" }, { "question": "Topic 1 A company is creating a sequel for a popular online game. A large number of users from all over the world will play the game within the first week after launch. Currently, the game consists of the following components deployed in a single AWS Regio n: \u00b7 Amazon S3 bucket that stores game assets \u00b7 Amazon DynamoDB table that stores player scores A solutions architect needs to design a multi-Regio n solution that will reduce latency, improve reliability, and require the least effort to implem ent. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Create an Amazon CloudFront distribution to serve assets from the S3 bucket. Configure", "B. Create an Amazon CloudFront distribution to serve assets from the S3 bucket. Configure", "C. Create another S3 bucket in a new Region, and con figure S3 Cross-Region Replication", "D. Create another S3 bucket in the sine Region, and configure S3 Same-Region Replication" ], "correct": "C. Create another S3 bucket in a new Region, and con figure S3 Cross-Region Replication", "explanation": "Explanation/Reference: Community vote distribution C (88%) 13%", "references": "" }, { "question": "Topic 1 A company has an on-premises website application th at provides real estate information for potential renters and buyers. The website uses a Ja va backend and a NoSQL MongoDB database to store subscriber data. The company needs to migrate the entire application to AWS with a similar structure. The application must be deployed for high availability, and the company cannot make changes to the application. Which solution will meet these requirements?", "options": [ "A. Use an Amazon Aurora DB cluster as the database f or the subscriber data. Deploy Amazon", "B. Use MongoDB on Amazon EC2 instances as the databa se for the subscriber data. Deploy", "C. Configure Amazon DocumentDB (with MongoDB compati bility) with appropriately sized", "D. Configure Amazon DocumentDB (with MongoDB compati bility) in on-demand capacity" ], "correct": "D. Configure Amazon DocumentDB (with MongoDB compati bility) in on-demand capacity", "explanation": "Explanation/Reference: Community vote distribution C (87%) 13%", "references": "" }, { "question": "Topic 1 A digital marketing company has multiple AWS accoun ts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS a ccount to securely store images and media files that are used as content for the company's ma rketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects. A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error. The solutions architect must ensure that users in t he Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose three.)", "options": [ "A. Create a bucket policy that includes read permiss ions for the S3 bucket. Set the principal", "B. Update the strategy_reviewer IAM role to grant fu ll permissions for the S3 bucket and to", "C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to \u00b7", "D. Create a bucket policy that includes read permiss ions for the S3 bucket. Set the principal" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (100%)", "references": "" }, { "question": "Topic 1 A life sciences company is using a combination of o pen source tools to manage data analysis workflows and Docker containers running on servers in its on-premises data center to process genomics data. Sequencing data is generated and sto red on a local storage area network (SAN), and then the data is processed. The research and de velopment teams are running into capacity issues and have decided to re-architect their genom ics analysis platform on AWS to scale based on workload demands and reduce the turnaround time from weeks to days. The company has a high-speed AWS Direct Connect con nection. Sequencers will generate around 200 GB of data for each genome, and individual jobs can take several hours to process the data with ideal compute capacity. The end result will be stored in Amazon S3. The company is expecting 10-15 job requests each day. Which solution meets these requirements?", "options": [ "A. Use regularly scheduled AWS Snowball Edge devices to transfer the sequencing data into", "B. Use AWS Data Pipeline to transfer the sequencing data to Amazon S3. Use S3 events to", "C. Use AWS DataSync to transfer the sequencing data to Amazon S3. Use S3 events to trigger", "D. Use an AWS Storage Gateway file gateway to transf er the sequencing data to Amazon S3." ], "correct": "C. Use AWS DataSync to transfer the sequencing data to Amazon S3. Use S3 events to trigger", "explanation": "Explanation Explanation/Reference: Community vote distribution C (76%) D (24%)", "references": "" }, { "question": "Topic 1 A company runs a content management application on a single Windows Amazon EC2 instance in a development environment. The application reads an d writes static content to a 2 TB Amazon Elastic Block Store (Amazon EBS) volume that is att ached to the instance as the root device. The company plans to deploy this application in product ion as a highly available and fault-tolerant solution that runs on at least three EC2 instances across multiple Availability Zones. A solutions architect must design a solution that j oins all the instances that run the application to an Active Directory domain. The solution also must implement Windows ACLs to control access to file contents. The application always must maintain exactly the same content on all running instances at any given point in time. Which solution will meet these requirements with th e LEAST management overhead?", "options": [ "A. Create an Amazon Elastic File System (Amazon EFS) file share. Create an Auto Scaling", "B. Create a new AMI from the current EC2 Instance th at is running. Create an Amazon FSx for", "C. Create an Amazon FSx for Windows File Server file system. Create an Auto Scaling group", "D. Create a new AMI from the current EC2 instance th at is running. Create an Amazon Elastic" ], "correct": "B. Create a new AMI from the current EC2 Instance th at is running. Create an Amazon FSx for", "explanation": "Explanation/Reference: Community vote distribution C (95%) 5%", "references": "" }, { "question": "Topic 1 A software as a service (SaaS) based company provid es a case management solution to customers A3 part of the solution. The company uses a standalone Simple Mail Transfer Protocol (SMTP) server to send email messages from an applic ation. The application also stores an email template for acknowledgement email messages that po pulate customer data before the application sends the email message to the customer . The company plans to migrate this messaging functio nality to the AWS Cloud and needs to minimize operational overhead. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Set up an SMTP server on Amazon EC2 instances by using an AMI from the AWS", "B. Set up Amazon Simple Email Service (Amazon SES) t o send email messages. Store the", "C. Set up an SMTP server on Amazon EC2 instances by using an AMI from the AWS", "D. Set up Amazon Simple Email Service (Amazon SES) t o send email messages. Store the" ], "correct": "B. Set up Amazon Simple Email Service (Amazon SES) t o send email messages. Store the", "explanation": "Explanation/Reference: Community vote distribution D (97%) 3%", "references": "" }, { "question": "Topic 1 A company is processing videos in the AWS Cloud by Using Amazon EC2 instances in an Auto Scaling group. It takes 30 minutes to process a vid eo Several EC2 instances scale in and out depending on the number of videos in an Amazon Simp le Queue Service (Amazon SQS) queue. The company has configured the SQS queue with a red rive policy that specifies a target dead-letter queue and a maxReceiveCount of 1. The company has s et the visibility timeout for the SQS queue to 1 hour. The company has set up an Amazon CloudWa tch alarm to notify the development team when there are messages in the dead-letter queue. Several times during the day. the development team receives notification that messages are in the dead-letter queue and that videos have not been pro cessed property. An investigation finds no errors m the application logs. How can the company solve this problem?", "options": [ "A. Turn on termination protection tor the EC2 Instan ces", "B. Update the visibility timeout for the SQS queue t o 3 hours", "C. Configure scale-in protection for the instances d uring processing \u00b7", "D. Update the redrive policy and set maxReceiveCount to 0." ], "correct": "D. Update the redrive policy and set maxReceiveCount to 0.", "explanation": "Explanation/Reference: Community vote distribution C (75%) D (21%) 4%", "references": "" }, { "question": "Topic 1 A company has developed APIs that use Amazon API Ga teway with Regional endpoints. The APIs call AWS Lambda functions that use API Gateway auth entication mechanisms. After a design review, a solutions architect identifies a set of A PIs that do not require public access. The solutions architect must design a solution to m ake the set of APIs accessible only from a VPC. All APIs need to be called with an authenticated us er Which solution will meet these requirements with th e LEAST amount of effort?", "options": [ "A. Create an internal Application Load Balancer (ALB ). Create a target group. Select the", "B. Remove the DNS entry that is associated with the API in API Gateway. Create a hosted", "C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC", "D. Deploy the Lambda functions inside the VPC Provis ion an EC2 instance, and install an" ], "correct": "D. Deploy the Lambda functions inside the VPC Provis ion an EC2 instance, and install an", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A weather service provides high-resolution weather maps from a web application hosted on AWS in the eu-west-1 Region. The weather maps are updated frequently and stored in Amazon S3 along with static HTML content. The web application is fr onted by Amazon CloudFront. The company recently expanded to serve users in the us-east-1 Region, and these new users report that viewing their respective weather maps is slow from time to time. Which combination of steps will resolve the us-east -1 performance issues? (Choose two.)", "options": [ "A. Configure the AWS Global Accelerator endpoint for the S3 bucket in eu-west-1. Configure", "B. Create a new S3 bucket in us-east-1. Configure S3 cross-Region replication to synchronize", "C. Use Lambda@Edge to modify requests from North Ame rica to use the S3 Transfer", "D. Use Lambda@Edge to modify requests from North Ame rica to use the S3 bucket in us-east-" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (95%) 2%", "references": "" }, { "question": "Topic 1 A solutions architect is investigating an issue in which a company cannot establish new sessions in Amazon Workspaces. An initial analysis indicates that the issue involves user profiles. The Amazon Workspaces environment is configured to use Amazon FSx for Windows File Server as the profile share storage. The FSx for Windows File Ser ver file system is configured with 10 TB of storage. The solutions architect discovers that the file sys tem has reached Its maximum capacity. The solutions architect must ensure that users can rega in access. The solution also must prevent the problem from occurring again. Which solution will meet these requirements?", "options": [ "A. Remove old user profiles to create space. Migrate the user profiles to an Amazon FSx for", "B. Increase capacity by using the update-file-system command. Implement an Amazon", "C. Monitor the file system by using the FreeStorageC apacity metric in Amazon CloudWatch.", "D. Remove old user profiles to create space. Create an additional FSx for Windows File Server" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (86%) 10%", "references": "" }, { "question": "Topic 1 An international delivery company hosts a delivery management system on AWS. Drivers use the system to upload confirmation of delivery. Confirma tion includes the recipient's signature or a photo of the package with the recipient. The driver 's handheld device uploads signatures and photos through FTP to a single Amazon EC2 instance. Each handheld device saves a file in a directory based on the signed-in user, and the file name matches the delivery number. The EC2 instance then adds metadata to the file after query ing a central database to pull delivery information. The file is then placed in Amazon S3 f or archiving. As the company expands, drivers report that the sys tem is rejecting connections. The FTP server is having problems because of dropped connections and memory issues in response to these problems, a system engineer schedules a cron task t o reboot the EC2 instance every 30 minutes. The billing team reports that files are not always in the archive and that the central system is not always updated. A solutions architect needs to design a solution th at maximizes scalability to ensure that the archive always receives the files and that systems are always updated. The handheld devices cannot be modified, so the company cannot deploy a new application. Which solution will meet these requirements?", "options": [ "A. Create an AMI of the existing EC2 instance. Creat e an Auto Scaling group of EC2 instances", "B. Use AWS Transfer Family to create an FTP server t hat places the files in Amazon Elastic", "C. Use AWS Transfer Family to create an FTP server t hat places the files in Amazon S3. Use", "D. Update the handheld devices to place the files di rectly in Amazon S3. Use an S3 event" ], "correct": "B. Use AWS Transfer Family to create an FTP server t hat places the files in Amazon Elastic", "explanation": "Explanation/Reference: Community vote distribution C (77%) B (23%)", "references": "" }, { "question": "Topic 1 A company is running an application in the AWS Clou d. The application runs on containers m an Amazon Elastic Container Service (Amazon ECS) clust er. The ECS tasks use the Fargate launch type. The application's data is relational and is s tored in Amazon Aurora MySQL. To meet regulatory requirements, the application must be ab le to recover to a separate AWS Region in the event of an application failure. In case of a failu re, no data can be lost. Which solution will meet these requirements with th e LEAST amount of operational overhead?", "options": [ "A. Provision an Aurora Replica in a different Region .", "B. Set up AWS DataSync for continuous replication of the data to a different Region.", "C. Set up AWS Database Migration Service (AWS DMS) t o perform a continuous replication of", "D. Use Amazon Data Lifecycle Manager (Amazon DLM) to schedule a snapshot every 5" ], "correct": "A. Provision an Aurora Replica in a different Region .", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A financial services company receives a regular dat a feed from its credit card servicing partner. Approximately 5,000 records are sent every 15 minut es in plaintext, delivered over HTTPS directly into an Amazon S3 bucket with server-side encryptio n. This feed contains sensitive credit card primary account number (PAN) data. The company need s to automatically mask the PAN before sending the data to another S3 bucket for additiona l internal processing. The company also needs to remove and merge specific fields, and then trans form the record into JSON format. Additionally, extra feeds are likely to be added in the future, s o any design needs to be easily expandable. Which solutions will meet these requirements?", "options": [ "A. Invoke an AWS Lambda function on file delivery th at extracts each record and writes it to", "B. Invoke an AWS Lambda function on file delivery th at extracts each record and writes it to", "C. Create an AWS Glue crawler and custom classifier based on the data feed formats and" ], "correct": "C. Create an AWS Glue crawler and custom classifier based on the data feed formats and", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company wants to use AWS to create a business con tinuity solution in case the company's main on-premises application fails. The application runs on physical servers that also run other applications. The on-premises application that the company is planning to migrate uses a MySQL database as a data store. All the company's on-prem ises applications use operating systems that are compatible with Amazon EC2. Which solution will achieve the company's goal with the LEAST operational overhead?", "options": [ "A. Install the AWS Replication Agent on the source s ervers, including the MySQL servers. Set", "B. Install the AWS Replication Agent on the source s ervers, including the MySQL servers.", "C. Create AWS Database Migration Service (AWS DMS) r eplication servers and a target", "D. Deploy an AWS Storage Gateway Volume Gateway on p remises. Mount volumes on all on-" ], "correct": "C. Create AWS Database Migration Service (AWS DMS) r eplication servers and a target", "explanation": "Explanation/Reference: Community vote distribution B (85%) C (15%)", "references": "" }, { "question": "Topic 1 A company is subject to regulatory audits of its fi nancial information. External auditors who use a single AWS account need access to the company's AWS account. A solutions architect must provide the auditors with secure, read-only access to the company's AWS account. The solution must comply with AWS security best practices. Which solution will meet these requirements?", "options": [ "A. In the company's AWS account, create resource pol icies for all resources in the account to", "B. In the company's AWS account, create an IAM role that trusts the auditors' AWS account.", "C. In the company's AWS account, create an IAM user. Attach the required IAM policies to the", "D. In the company's AWS account, create an IAM group that has the required permissions." ], "correct": "B. In the company's AWS account, create an IAM role that trusts the auditors' AWS account.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has a latency-sensitive trading platform that uses Amazon DynamoDB as a storage backend. The company configured the DynamoDB table to use on-demand capacity mode. A solutions architect needs to design a solution to i mprove the performance of the trading platform. The new solution must ensure high availability for the trading platform. Which solution will meet these requirements with th e LEAST latency?", "options": [ "A. Create a two-node DynamoDB Accelerator (DAX) clus ter. Configure an application to read", "B. Create a three-node DynamoDB Accelerator (DAX) cl uster. Configure an application to read", "C. Create a three-node DynamoDB Accelerator (DAX) cl uster. Configure an application to read", "D. Create a single-node DynamoDB Accelerator (DAX) c luster. Configure an application to" ], "correct": "A. Create a two-node DynamoDB Accelerator (DAX) clus ter. Configure an application to read", "explanation": "Explanation/Reference: Community vote distribution B (90%) 10%", "references": "" }, { "question": "Topic 1 A company has migrated an application from on premi ses to AWS. The application frontend is a static website that runs on two Amazon EC2 instance s behind an Application Load Balancer (ALB). The application backend is a Python application tha t runs on three EC2 instances behind another ALB. The EC2 instances are large, general purpose O n-Demand Instances that were sized to meet the on-premises specifications for peak usage of th e application. The application averages hundreds of thousands of r equests each month. However, the application is used mainly during lunchtime and receives minima l traffic during the rest of the day. A solutions architect needs to optimize the infrast ructure cost of the application without negatively affecting the application availability. Which combination of steps will meet these requirem ents? (Choose two.)", "options": [ "A. Change all the EC2 instances to compute optimized instances that have the same number", "B. Move the application frontend to a static website that is hosted on Amazon S3.", "C. Deploy the application frontend by using AWS Elas tic Beanstalk. Use the same instance", "D. Change all the backend EC2 instances to Spot Inst ances." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (91%) 9%", "references": "" }, { "question": "Topic 1 A company is running an event ticketing platform on AWS and wants to optimize the platform's cost-effectiveness. The platform is deployed on Ama zon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 and is backed by an Amazon RDS for MySQL DB instance. The company is developing new application features to run on Amazo n EKS with AWS Fargate. The platform experiences infrequent high peaks in d emand. The surges in demand depend on event dates. Which solution will provide the MOST cost-effective setup for the platform?", "options": [ "A. Purchase Standard Reserved Instances for the EC2 instances that the EKS cluster uses in", "C. Purchase EC2 Instance Savings Plans for the predi cted base load of the EKS cluster. Scale", "D. Purchase Compute Savings Plans for the predicted base load of the EKS cluster. Scale the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (73%) D (15%) 7%", "references": "" }, { "question": "Topic 1 A company has deployed an application on AWS Elasti c Beanstalk. The application uses Amazon Aurora for the database layer. An Amazon CloudFront distribution serves web requests and includes the Elastic Beanstalk domain name as the o rigin server. The distribution is configured with an alternate domain name that visitors use whe n they access the application. Each week, the company takes the application out of service for routine maintenance. During the time that the application is unavailable, the compa ny wants visitors to receive an informational message instead of a CloudFront error message. A solutions architect creates an Amazon S3 bucket a s the first step in the process. Which combination of steps should the solutions arc hitect take next to meet the requirements? (Choose three.)", "options": [ "A. Upload static informational content to the S3 buc ket.", "B. Create a new CloudFront distribution. Set the S3 bucket as the origin.", "C. Set the S3 bucket as a second origin in the origi nal CloudFront distribution. Configure the", "D. During the weekly maintenance, edit the default c ache behavior to use the S3 origin. Revert" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACD (100%)", "references": "" }, { "question": "Topic 1 A company gives users the ability to upload images from a custom application. The upload process invokes an AWS Lambda function that process es and stores the image in an Amazon S3 bucket. The application invokes the Lambda function by using a specific function version ARN. The Lambda function accepts image processing parame ters by using environment variables. The company often adjusts the environment variables of the Lambda function to achieve optimal image processing output. The company tests different para meters and publishes a new function version with the updated environment variables after valida ting results. This update process also requires frequent changes to the custom application to invok e the new function version ARN. These changes cause interruptions for users. A solutions architect needs to simplify this proces s to minimize disruption to users. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Directly modify the environment variables of the published Lambda function version. Use", "B. Create an Amazon DynamoDB table to store the imag e processing parameters. Modify the", "C. Directly code the image processing parameters wit hin the Lambda function and remove the", "D. Create a Lambda function alias. Modify the client application to use the function alias" ], "correct": "D. Create a Lambda function alias. Modify the client application to use the function alias", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A global media company is planning a multi-Region d eployment of an application. Amazon DynamoDB global tables will back the deployment to keep the user experience consistent across the two continents where users are concentrated. Ea ch deployment will have a public Application Load Balancer (ALB). The company manages public DNS internally. The company wants to make the application available through an apex domain. Which solution will meet these requirements with th e LEAST effort? A. Migrate public DNS to Amazon Route 53. Create CNA ME records for the apex domain to \u00b7 point to the ALB. Use a geolocation routing policy to route traffic based on user location.", "options": [ "B. Place a Network Load Balancer (NLB) in front of t he ALMigrate public DNS to Amazon", "C. Create an AWS Global Accelerator accelerator with multiple endpoint groups that target", "D. Create an Amazon API Gateway API that is backed b y AWS Lambda in one of the AWS" ], "correct": "C. Create an AWS Global Accelerator accelerator with multiple endpoint groups that target", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is developing a new serverless API by usi ng Amazon API Gateway and AWS Lambda. The company integrated the Lambda functions with AP I Gateway to use several shared libraries and custom classes. A solutions architect needs to simplify the deploym ent of the solution and optimize for code reuse. Which solution will meet these requirements?", "options": [ "A. Deploy the shared libraries and custom classes in to a Docker image. Store the image in an", "B. Deploy the shared libraries and custom classes to a Docker image. Upload the image to", "C. Deploy the shared libraries and custom classes to a Docker container in Amazon Elastic", "D. Deploy the shared libraries, custom classes, and code for the API's Lambda functions to a" ], "correct": "B. Deploy the shared libraries and custom classes to a Docker image. Upload the image to", "explanation": "Explanation Explanation/Reference: Community vote distribution D (68%) B (32%)", "references": "" }, { "question": "Topic 1 A manufacturing company is building an inspection s olution for its factory. The company has IP cameras at the end of each assembly line. The compa ny has used Amazon SageMaker to train a machine learning (ML) model to identify common defe cts from still images. The company wants to provide local feedback to fact ory workers when a defect is detected. The company must be able to provide this feedback even if the factory's internet connectivity is down. The company has a local Linux server that hosts an API that provides local feedback to the workers. How should the company deploy the ML model to meet these requirements?", "options": [ "A. Set up an Amazon Kinesis video stream from each I P camera to AWS. Use Amazon EC2", "B. Deploy AWS IoT Greengrass on the local server. De ploy the ML model to the Greengrass", "C. Order an AWS Snowball device. Deploy a SageMaker endpoint the ML model and an", "D. Deploy Amazon Monitron devices on each IP camera. Deploy an Amazon Monitron" ], "correct": "D. Deploy Amazon Monitron devices on each IP camera. Deploy an Amazon Monitron", "explanation": "Explanation/Reference: Community vote distribution B (93%) 7%", "references": "" }, { "question": "Topic 1 A solutions architect must create a business case f or migration of a company's on-premises data center to the AWS Cloud. The solutions architect wi ll use a configuration management database (CMDB) export of all the company's servers to creat e the case. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Use AWS Well-Architected Tool to import the CMDB data to perform an analysis and \u00b7", "B. Use Migration Evaluator to perform an analysis. U se the data import template to upload the", "C. Implement resource matching rules. Use the CMDB e xport and the AWS Price List Bulk API", "D. Use AWS Application Discovery Service to import t he CMDB data to perform an analysis." ], "correct": "D. Use AWS Application Discovery Service to import t he CMDB data to perform an analysis.", "explanation": "Explanation/Reference: Community vote distribution B (88%) 12%", "references": "" }, { "question": "Topic 1 A company has a website that runs on Amazon EC2 ins tances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL. The website often encounters attacks in the applica tion layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an Amazon CloudWatch alarm that monitors s erver access. Set a threshold based", "B. Deploy AWS Shield Advanced in addition to AWS WAF . Add the ALB as a protected", "C. Create an Amazon CloudWatch alarm that monitors u ser IP addresses. Set a threshold", "D. Inspect access logs to find a pattern of IP addre sses that launched the attacks. Use an", "A. Add another Region to the Aurora MySQL DB cluster", "B. Add another Region to each table in the Aurora My SQL DB cluster", "C. Set up scheduled cross-Region backups for the Dyn amoDB table and the Aurora MySQL DB", "D. Convert the existing DynamoDB table to a global t able by adding another Region to its" ], "correct": "C. Create an Amazon CloudWatch alarm that monitors u ser IP addresses. Set a threshold", "explanation": "Explanation/Reference: Community vote distribution AD (86%) 14%", "references": "" }, { "question": "Topic 1 A telecommunications company is running an applicat ion on AWS. The company has set up an AWS Direct Connect connection between the company's on-premises data center and AWS. The company deployed the application on Amazon EC2 inst ances in multiple Availability Zones behind an internal Application Load Balancer (ALB). The co mpany's clients connect from the on-premises network by using HTTPS. The TLS terminates in the A LB. The company has multiple target groups and uses path-based routing to forward requests bas ed on the URL path. The company is planning to deploy an on-premises fi rewall appliance with an allow list that is based on IP address. A solutions architect must dev elop a solution to allow traffic flow to AWS from the on-premises network so that the clients ca n continue to access the application. Which solution will meet these requirements?", "options": [ "A. Configure the existing ALB to use static IP addre sses. Assign IP addresses in multiple", "B. Create a Network Load Balancer (NLB). Associate t he NLB with one static IP addresses in", "C. Create a Network Load Balancer (NLB). Associate t he LNB with one static IP addresses in", "D. Create a Gateway Load Balancer (GWLB). Assign sta tic IP addresses to the GWLB in" ], "correct": "A. Configure the existing ALB to use static IP addre sses. Assign IP addresses in multiple", "explanation": "Explanation/Reference: Community vote distribution B (91%) 5%", "references": "" }, { "question": "Topic 1 A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that co ntains various AWS managed rules is associated with the CloudFront distribution. The company needs a solution that will prevent inte rnet traffic from directly accessing the ALB. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create a new web ACL that contains the same rules that the existing web ACL contains.", "B. Associate the existing web ACL with the ALB.", "C. Add a security group rule to the ALB to allow tra ffic from the AWS managed prefix list for", "D. Add a security group rule to the ALB to allow onl y the various CloudFront IP address" ], "correct": "D. Add a security group rule to the ALB to allow onl y the various CloudFront IP address", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is running an application that uses an Am azon ElastiCache for Redis cluster as a caching layer. A recent security audit revealed tha t the company has configured encryption at rest for ElastiCache. However, the company did not confi gure ElastiCache to use encryption in transit. Additionally, users can access the cache without au thentication. A solutions architect must make changes to require user authentication and to ensure that the company is using end-to-end encryption. Which solution will meet these requirements?", "options": [ "A. Create an AUTH token. Store the token in AWS Syst em Manager Parameter Store, as an", "B. Create an AUTH token. Store the token in AWS Secr ets Manager. Configure the existing", "C. Create an SSL certificate. Store the certificate in AWS Secrets Manager. Create a new", "D. Create an SSL certificate. Store the certificate in AWS Systems Manager Parameter Store," ], "correct": "C. Create an SSL certificate. Store the certificate in AWS Secrets Manager. Create a new", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is running a compute workload by using Am azon EC2 Spot Instances that are in an Auto Scaling group. The launch template uses two pl acement groups and a single instance type. Recently, a monitoring system reported Auto Scaling instance launch failures that correlated with longer wait times for system users. The company nee ds to improve the overall reliability of the workload. Which solution will meet this requirement?", "options": [ "A. Replace the launch template with a launch configu ration to use an Auto Scaling group that", "B. Create a new launch template version that uses at tribute-based instance type selection.", "C. Update the launch template Auto Scaling group to increase the number of placement", "D. Update the launch template to use a larger instan ce type." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is migrating a document processing worklo ad to AWS. The company has updated many applications to natively use the Amazon S3 API to s tore, retrieve, and modify documents that a processing server generates at a rate of approximat ely 5 documents every second. After the document processing is finished, customers can down load the documents directly from Amazon S3. During the migration, the company discovered that i t could not immediately update the processing server that generates many documents to support the S3 API. The server runs on Linux and requires fast local access to the files that the se rver generates and modifies. When the server finishes processing, the files must be available to the public for download within 30 minutes. Which solution will meet these requirements with th e LEAST amount of effort?", "options": [ "A. Migrate the application to an AWS Lambda function . Use the AWS SDK for Java to", "B. Set up an Amazon S3 File Gateway and configure a file share that is linked to the document", "C. Configure Amazon FSx for Lustre with an import an d export policy. Link the new file", "D. Configure AWS DataSync to connect to an Amazon EC 2 instance. Configure a task to" ], "correct": "C. Configure Amazon FSx for Lustre with an import an d export policy. Link the new file", "explanation": "Explanation/Reference: Community vote distribution B (62%) C (33%) 5%", "references": "" }, { "question": "Topic 1 A delivery company is running a serverless solution in the AWS Cloud. The solution manages user data, delivery information, and past purchase detai ls. The solution consists of several microservices. The central user service stores sens itive data in an Amazon DynamoDB table. Several of the other microservices store a copy of parts of the sensitive data in different storage services. The company needs the ability to delete user inform ation upon request. As soon as the central user service deletes a user, every other microservi ce must also delete its copy of the data immediately. Which solution will meet these requirements?", "options": [ "A. Activate DynamoDB Streams on the DynamoDB table. Create an AWS Lambda trigger for", "B. Set up DynamoDB event notifications on the Dynamo DB table. Create an Amazon Simple", "C. Configure the central user service to post an eve nt on a custom Amazon EventBridge event", "D. Configure the central user service to post a mess age on an Amazon Simple Queue Service" ], "correct": "D. Configure the central user service to post a mess age on an Amazon Simple Queue Service", "explanation": "Explanation/Reference: Community vote distribution C (70%) A (25%) 5%", "references": "" }, { "question": "Topic 1 A company is running a web application in a VPC. Th e web application runs on a group of Amazon EC2 instances behind an Application Load Balancer ( ALB). The ALB is using AWS WAF. An external customer needs to connect to the web ap plication. The company must provide IP addresses to all external customers. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Replace the ALB with a Network Load Balancer (NLB ). Assign an Elastic IP address to the", "B. Allocate an Elastic IP address. Assign the Elasti c IP address to the ALProvide the Elastic IP", "C. Create an AWS Global Accelerator standard acceler ator. Specify the ALB as the", "D. Configure an Amazon CloudFront distribution. Set the ALB as the origin. Ping the" ], "correct": "B. Allocate an Elastic IP address. Assign the Elasti c IP address to the ALProvide the Elastic IP", "explanation": "Explanation/Reference: Community vote distribution C (91%) 6%", "references": "" }, { "question": "Topic 1 A company has a few AWS accounts for development an d wants to move its production application to AWS. The company needs to enforce Am azon Elastic Block Store (Amazon EBS) encryption at rest current production accounts and future production accounts only. The company needs a solution that includes built-in blueprints and guardrails. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Use AWS CloudFormation StackSets to deploy AWS Co nfig rules on production accounts.", "B. Create a new AWS Control Tower landing zone in an existing developer account. Create", "C. Create a new AWS Control Tower landing zone in th e company's management account.", "D. Invite existing accounts to join the organization in AWS Organizations. Create SCPs to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CDF (72%) 14% 10%", "references": "" }, { "question": "Topic 1 A company is running a critical stateful web applic ation on two Linux Amazon EC2 instances behind an Application Load Balancer (ALB) with an A mazon RDS for MySQL database. The company hosts the DNS records for the application i n Amazon Route 53. A solutions architect must recommend a solution to improve the resiliency of the application. The solution must meet the following objectives: \u00b7 Application tier: RPO of 2 minutes. RTO of 30 min utes \u00b7 Database tier: RPO of 5 minutes. RTO of 30 minute s The company does not want to make significant chang es to the existing application architecture. The company must ensure optimal latency after a fai lover. Which solution will meet these requirements?", "options": [ "A. Configure the EC2 instances to use AWS Elastic Di saster Recovery. Create a cross-Region", "B. Configure the EC2 instances to use Amazon Data Li fecycle Manager (Amazon DLM) to take", "C. Create a backup plan in AWS Backup for the EC2 in stances and RDS DB instance.", "D. Configure the EC2 instances to use Amazon Data Li fecycle Manager (Amazon DLM) to take" ], "correct": "B. Configure the EC2 instances to use Amazon Data Li fecycle Manager (Amazon DLM) to take", "explanation": "Explanation/Reference: Community vote distribution A (95%) 5%", "references": "" }, { "question": "Topic 1 A solutions architect wants to cost-optimize and ap propriately size Amazon EC2 instances in a single AWS account. The solutions architect wants t o ensure that the instances are optimized based on CPU, memory, and network metrics. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Purchase AWS Business Support or AWS Enterprise S upport for the account.", "B. Turn on AWS Trusted Advisor and review any \"Low U tilization Amazon EC2 Instances\"", "C. Install the Amazon CloudWatch agent and configure memory metric collection on the EC2", "D. Configure AWS Compute Optimizer in the AWS accoun t to receive findings and" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CD (91%) 9%", "references": "" }, { "question": "Topic 1 A company uses an AWS CodeCommit repository. The co mpany must store a backup copy of the data that is in the repository in a second AWS Regi on. Which solution will meet these requirements?", "options": [ "A. Configure AWS Elastic Disaster Recovery to replic ate the CodeCommit repository data to", "B. Use AWS Backup to back up the CodeCommit reposito ry on an hourly schedule. Create a", "C. Create an Amazon EventBridge rule to invoke AWS C odeBuild when the company pushes", "D. Create an AWS Step Functions workflow on an hourl y schedule to take a snapshot of the" ], "correct": "C. Create an Amazon EventBridge rule to invoke AWS C odeBuild when the company pushes", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company has multiple business units that each hav e separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company's marketing team has created a new internal application and wants to make the application accessible to all the other business un its. The solution must use private IP addresses only. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Instruct each business unit to add a unique secon dary CIDR range to the business unit's", "B. Create an Amazon EC2 instance to serve as a virtu al appliance in the marketing account's", "D. Create a Network Load Balancer (NLB) in front of the marketing application in a private" ], "correct": "D. Create a Network Load Balancer (NLB) in front of the marketing application in a private", "explanation": "Explanation/Reference: Community vote distribution C (94%) 6%", "references": "" }, { "question": "Topic 1 A company needs to audit the security posture of a newly acquired AWS account. The company's data security team requires a notification only whe n an Amazon S3 bucket becomes publicly exposed. The company has already established an Ama zon Simple Notification Service (Amazon SNS) topic that has the data security team's email address subscribed. Which solution will meet these requirements?", "options": [ "A. Create an S3 event notification on all S3 buckets for the isPublic event. Select the SNS", "B. Create an analyzer in AWS Identity and Access Man agement Access Analyzer. Create an", "C. Create an Amazon EventBridge rule for the event t ype \"Bucket-Level API Call via", "D. Activate AWS Config and add the cloudtrail-s3-dat aevents-enabled rule. Create an Amazon" ], "correct": "A. Create an S3 event notification on all S3 buckets for the isPublic event. Select the SNS", "explanation": "Explanation/Reference: Community vote distribution B (94%) 6%", "references": "" }, { "question": "Topic 1 A solutions architect needs to assess a newly acqui red company's portfolio of applications and databases. The solutions architect must create a bu siness case to migrate the portfolio to AWS. The newly acquired company runs applications in an on-premises data center. The data center is not well documented. The solutions architect cannot immediately determine how many applications and databases exist. Traffic for the a pplications is variable. Some applications are batch processes that run at the end of each month. The solutions architect must gain a better understa nding of the portfolio before a migration to AWS can begin. Which solution will meet these requirements?", "options": [ "A. Use AWS Server Migration Service (AWS SMS) and AW S Database Migration Service (AWS", "B. Use AWS Application Migration Service. Run agents on the on-premises infrastructure.", "C. Use Migration Evaluator to generate a list of ser vers. Build a report for a business case.", "D. Use AWS Control Tower in the destination account to generate an application portfolio." ], "correct": "B. Use AWS Application Migration Service. Run agents on the on-premises infrastructure.", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company has an application that runs as a Replica Set of multiple pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cl uster has nodes in multiple Availability Zones. The application generates many small files t hat must be accessible across all running instances of the application. The company needs to back up the files and retain the backups for 1 year. Which solution will meet these requirements while p roviding the FASTEST storage performance?", "options": [ "A. Create an Amazon Elastic File System (Amazon EFS) file system and a mount target for", "B. Create an Amazon Elastic Block Store (Amazon EBS) volume. Enable the EBS Multi-Attach", "C. Create an Amazon S3 bucket. Configure the Replica Set to mount the S3 bucket. Direct the", "D. Configure the ReplicaSet to use the storage avail able on each of the running application" ], "correct": "A. Create an Amazon Elastic File System (Amazon EFS) file system and a mount target for", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company runs a customer service center that accep ts calls and automatically sends all customers a managed, interactive, two-way experienc e survey by text message. The applications that support the customer service center run on mac hines that the company hosts in an on- premises data center. The hardware that the company uses is old, and the company is experiencing downtime with the system. The company wants to migrate the system to AWS to improve reliability. Which solution will meet these requirements with th e LEAST ongoing operational overhead?", "options": [ "A. Use Amazon Connect to replace the old call center hardware. Use Amazon Pinpoint to", "B. Use Amazon Connect to replace the old call center hardware. Use Amazon Simple", "C. Migrate the call center software to Amazon EC2 in stances that are in an Auto Scaling", "D. Use Amazon Pinpoint to replace the old call cente r hardware and to send text message" ], "correct": "A. Use Amazon Connect to replace the old call center hardware. Use Amazon Pinpoint to", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is building a call center by using Amazon Connect. The company's operations team is defining a disaster recovery (DR) strategy across A WS Regions. The contact center has dozens of contact flows, hundreds of users, and dozens of cla imed phone numbers. Which solution will provide DR with the LOWEST RTO?", "options": [ "A. Create an AWS Lambda function to check the availa bility of the Amazon Connect instance", "B. Provision a new Amazon Connect instance with all existing users in a second Region.", "C. Provision a new Amazon Connect instance with all existing contact flows and claimed", "D. Provision a new Amazon Connect instance with all existing users and contact flows in a" ], "correct": "D. Provision a new Amazon Connect instance with all existing users and contact flows in a", "explanation": "Explanation/Reference: Community vote distribution D (85%) B (15%)", "references": "" }, { "question": "Topic 1 A company runs an application on AWS. The company c urates data from several different sources. The company uses proprietary algorithms to perform data transformations and aggregations. After the company performs ETL processes, the company sto res the results in Amazon Redshift tables. The company sells this data to other companies. The company downloads the data as files from the Amazon Redshift tables and transmits the files to several data customers by using FTP. The number of data customers has grown significantly. M anagement of the data customers has become difficult. The company will use AWS Data Exchange to create a data product that the company can use to share data with customers. The company wants to con firm the identities of the customers before the company shares data. The customers also need ac cess to the most recent data when the company publishes the data. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Use AWS Data Exchange for APIs to share data with customers. Configure subscription", "B. In the AWS account of the company that produces t he data, create an AWS Data Exchange", "C. Download the data from the Amazon Redshift tables to an Amazon S3 bucket periodically.", "D. Publish the Amazon Redshift data to an Open Data on AWS Data Exchange. Require the" ], "correct": "B. In the AWS account of the company that produces t he data, create an AWS Data Exchange", "explanation": "Explanation/Reference: Community vote distribution B (90%) 10%", "references": "" }, { "question": "Topic 1 A solutions architect is designing a solution to pr ocess events. The solution must have the ability to scale in and out based on the number of events t hat the solution receives. If a processing error occurs, the event must move into a separate queue f or review. Which solution will meet these requirements?", "options": [ "A. Send event details to an Amazon Simple Notificati on Service (Amazon SNS) topic.", "B. Publish events to an Amazon Simple Queue Service (Amazon SQS) queue. Create an", "C. Write events to an Amazon DynamoDB table. Configu re a DynamoDB stream for the table.", "D. Publish events to an Amazon EventBndge event bus. Create and run an application on an" ], "correct": "B. Publish events to an Amazon Simple Queue Service (Amazon SQS) queue. Create an", "explanation": "Explanation/Reference: Community vote distribution A (59%) B (41%)", "references": "" }, { "question": "Topic 1 A company runs a processing engine in the AWS Cloud . The engine processes environmental data from logistics centers to calculate a sustainabilit y index. The company has millions of devices in logistics centers that are spread across Europe. Th e devices send information to the processing engine through a RESTful API. The API experiences unpredictable bursts of traffic . The company must implement a solution to process all data that the devices send to the proce ssing engine. Data loss is unacceptable. Which solution will meet these requirements?", "options": [ "A. Create an Application Load Balancer (ALB) for the RESTful API. Create an Amazon Simple", "B. Create an Amazon API Gateway HTTP API that implem ents the RESTful API. Create an", "C. Create an Amazon API Gateway REST API that implem ents the RESTful API. Create a fleet", "D. Create an Amazon CloudFront distribution for the RESTful API. Create a data stream in" ], "correct": "B. Create an Amazon API Gateway HTTP API that implem ents the RESTful API. Create an", "explanation": "Explanation/Reference: Community vote distribution B (90%) 8%", "references": "" }, { "question": "Topic 1 A company is designing its network configuration in the AWS Cloud. The company uses AWS Organizations to manage a multi-account setup. The company has three OUs. Each OU contains more than 100 AWS accounts. Each account has a sing le VPC, and all the VPCs in each OU are in the same AWS Region. The CIDR ranges for all the AWS accounts do not ove rlap. The company needs to implement a solution in which VPCs in the same OU can communica te with each other but cannot communicate with VPCs in other OUs. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an AWS CloudFormation stack set that estab lishes VPC peering between accounts", "B. In each OU, create a dedicated networking account that has a single VPC. Share this VPC", "C. Provision a transit gateway in an account in each OU. Share the transit gateway across the \u00b7", "D. In each OU, create a dedicated networking account that has a single VPC. Establish a VPN" ], "correct": "D. In each OU, create a dedicated networking account that has a single VPC. Establish a VPN", "explanation": "Explanation/Reference: Community vote distribution C (72%) A (15%) 11%", "references": "" }, { "question": "Topic 1 A company is migrating an application to AWS. It wa nts to use fully managed services as much as possible during the migration. The company needs to store large important documents within the application with the following requirements: 1. The data must be highly durable and available 2. The data must always be encrypted at rest and in transit 3. The encryption key must be managed by the compan y and rotated periodically Which of the following solutions should the solutio ns architect recommend?", "options": [ "A. Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume", "B. Use Amazon S3 with a bucket policy to enforce HTT PS for connections to the bucket and", "C. Use Amazon DynamoDB with SSL to connect to Dynamo DB. Use an AWS KMS key to", "D. Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume" ], "correct": "B. Use Amazon S3 with a bucket policy to enforce HTT PS for connections to the bucket and", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company's public API runs as tasks on Amazon Elas tic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU uti lization. This service has been running well for several months. Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injecti on attacks had occurred against the API and that the API service had scaled to its maximum amou nt. A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must all ow legitimate traffic through and must maximize operational efficiency. Which solution meets these requirements?", "options": [ "A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that", "B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot", "C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL", "D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule" ], "correct": "C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 An environmental company is deploying sensors in ma jor cities throughout a country to measure air quality. The sensors connect to AWS IoT Core to ingest timeseries data readings. The company stores the data in Amazon DynamoDB. For business continuity, the company must have the ability to ingest and store data in two AWS Regions. Which solution will meet these requirements?", "options": [ "A. Create an Amazon Route 53 alias failover routing policy with values for AWS IoT Core data", "B. Create a domain configuration for AWS IoT Core in each Region. Create an Amazon Route", "C. Create a domain configuration for AWS IoT Core in each Region. Create an Amazon Route" ], "correct": "C. Create a domain configuration for AWS IoT Core in each Region. Create an Amazon Route", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations for a multi-accoun t setup in the AWS Cloud. The company's finance team has a data processing application that uses AWS Lambda and Amazon DynamoDB. The company's marketing team wants to access the da ta that is stored in the DynamoDB table. The DynamoDB table contains confidential data. The marketing team can have access to only specific attributes of data in the DynamoDB table. The finance team and the marketing team have separate AWS accounts. What should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?", "options": [ "A. Create an SCP to grant the marketing team's AWS a ccount access to the specific attributes", "B. Create an IAM role in the finance team's account by using IAM policy conditions for", "C. Create a resource-based IAM policy that includes conditions for specific DynamoDB", "D. Create an IAM role in the finance team's account to access the DynamoDB table. Use an" ], "correct": "B. Create an IAM role in the finance team's account by using IAM policy conditions for", "explanation": "Explanation/Reference: Community vote distribution B (94%) 6%", "references": "" }, { "question": "Topic 1 A solutions architect is creating an application th at stores objects in an Amazon S3 bucket. The solutions architect must deploy the application in two AWS Regions that will be used simultaneously. The objects in the two S3 buckets m ust remain synchronized with each other. Which combination of steps will meet these requirem ents with the LEAST operational overhead? (Choose three.)", "options": [ "A. Create an S3 Multi-Region Access Point Change the application to refer to the Multi-Region", "B. Configure two-way S3 Cross-Region Replication (CR R) between the two S3 buckets", "C. Modify the application to store objects in each S 3 bucket", "D. Create an S3 Lifecycle rule for each S3 bucket to copy objects from one S3 bucket to the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABE (100%)", "references": "" }, { "question": "Topic 1 A company has an IoT platform that runs in an on-pr emises environment. The platform consists of a server that connects to IoT devices by using the MQTT protocol. The platform collects telemetry data from the devices at least once every 5 minutes . The platform also stores device metadata in a MongoDB cluster. An application that is installed on an on-premises machine runs periodic jobs to aggregate and transform the telemetry and device metadata. The ap plication creates reports that users view by using another web application that runs on the same on-premises machine. The periodic jobs take 120-600 seconds to run. However, the web applicatio n is always running. The company is moving the platform to AWS and must reduce the operational overhead of the stack. Which combination of steps will meet these requirem ents with the LEAST operational overhead? (Choose three.)", "options": [ "A. Use AWS Lambda functions to connect to the IoT de vices", "B. Configure the IoT devices to publish to AWS IoT C ore", "C. Write the metadata to a self-managed MongoDB data base on an Amazon EC2 instance", "D. Write the metadata to Amazon DocumentDB (with Mon goDB compatibility)" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDE (100%)", "references": "" }, { "question": "Topic 1 A global manufacturing company plans to migrate the majority of its applications to AWS. However, the company is concerned about application s that need to remain within a specific country or in the company's central on-premises dat a center because of data regulatory requirements or requirements for latency of single- digit milliseconds. The company also is concerned about the applications that it hosts in s ome of its factory sites, where limited network infrastructure exists. The company wants a consistent developer experience so that its developers can build applications once and deploy on premises, in the cl oud, or in a hybrid architecture. The developers must be able to use the same tools, APIs, and servi ces that are familiar to them. Which solution will provide a consistent hybrid exp erience to meet these requirements?", "options": [ "A. Migrate all applications to the closest AWS Regio n that is compliant. Set up an AWS Direct", "B. Use AWS Snowball Edge Storage Optimized devices f or the applications that have data", "C. Install AWS Outposts for the applications that ha ve data regulatory requirements or", "D. Migrate the applications that have data regulator y requirements or requirements for" ], "correct": "C. Install AWS Outposts for the applications that ha ve data regulatory requirements or", "explanation": "Explanation/Reference: Community vote distribution C (85%) D (15%)", "references": "" }, { "question": "Topic 1 A company is updating an application that customers use to make online orders. The number of attacks on the application by bad actors has increa sed recently. The company will host the updated application on an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use Amazon DynamoDB to store application data. A public Application Load Balancer (ALB) will provide end us ers with access to the application. The company must prevent attacks and ensure business co ntinuity with minimal service interruptions during an ongoing attack. Which combination of steps will meet these requirem ents MOST cost-effectively? (Choose two.)", "options": [ "A. Create an Amazon CloudFront distribution with the ALB as the origin. Add a custom header", "B. Deploy the application in two AWS Regions. Config ure Amazon Route 53 to route to both", "C. Configure auto scaling for Amazon ECS tasks Creat e a DynamoDB Accelerator (DAX)", "D. Configure Amazon ElastiCache to reduce overhead o n DynamoDB." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AE (93%) 7%", "references": "" }, { "question": "Topic 1 A company runs a web application on AWS. The web ap plication delivers static content from an Amazon S3 bucket that is behind an Amazon CloudFron t distribution. The application serves dynamic content by using an Application Load Balanc er (ALB) that distributes requests to a fleet of Amazon EC2 instances in Auto Scaling groups. The ap plication uses a domain name setup in Amazon Route 53. Some users reported occasional issues when the user s attempted to access the website during peak hours. An operations team found that the ALB s ometimes returned HTTP 503 Service Unavailable errors. The company wants to display a custom error message page when these errors occur. The page should be displayed immediately for this error code. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Set up a Route 53 failover routing policy. Config ure a health check to determine the status", "B. Create a second CloudFront distribution and an S3 static website to host the custom error", "C. Create a CloudFront origin group that has two ori gins. Set the ALB endpoint as the primary \u00b7", "D. Create a CloudFront function that validates each HTTP response code that the ALB" ], "correct": "C. Create a CloudFront origin group that has two ori gins. Set the ALB endpoint as the primary \u00b7", "explanation": "Explanation/Reference: Community vote distribution C (73%) D (27%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate an application to AWS. The application runs as a Docker container and uses an NFS version 4 file share. A solutions architect must design a secure and scal able containerized solution that does not require provisioning or management of the underlyin g infrastructure. Which solution will meet these requirements?", "options": [ "A. Deploy the application containers by using Amazon Elastic Container Service (Amazon", "B. Deploy the application containers by using Amazon Elastic Container Service (Amazon", "C. Deploy the application containers by using Amazon Elastic Container Service (Amazon", "D. Deploy the application containers by using Amazon Elastic Container Service (Amazon", "A. Create a second ALB, and deploy the new logic to a set of EC2 instances in a new Auto", "B. Create a second target group that is referenced b y the ALDeploy the new logic to EC2", "C. Create a new launch configuration for the Auto Sc aling group. Specify the launch", "D. Create a second Auto Scaling group that is refere nced by the ALB. Deploy the new logic on" ], "correct": "B. Create a second target group that is referenced b y the ALDeploy the new logic to EC2", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A large education company recently introduced Amazo n Workspaces to provide access to internal applications across multiple universities. The comp any is storing user profiles on an Amazon FSx for Windows File Server file system. The file syste m is configured with a DNS alias and is connected to a self-managed Active Directory. As mo re users begin to use the Workspaces, login time increases to unacceptable levels. An investigation reveals a degradation in performan ce of the file system. The company created the file system on HDD storage with a throughput of 16 MBps. A solutions architect must improve the performance of the file system during a defined mai ntenance window. What should the solutions architect do to meet thes e requirements with the LEAST administrative effort?", "options": [ "A. Use AWS Backup to create a point-in-time backup o f the file system. Restore the backup to", "C. Deploy an AWS DataSync agent onto a new Amazon EC 2 instance. Create a task. Configure", "D. Enable shadow copies on the existing file system by using a Windows PowerShell" ], "correct": "A. Use AWS Backup to create a point-in-time backup o f the file system. Restore the backup to", "explanation": "Explanation/Reference: Community vote distribution B (64%) A (36%)", "references": "" }, { "question": "Topic 1 A company hosts an application on AWS. The applicat ion reads and writes objects that are stored in a single Amazon S3 bucket. The company must modi fy the application to deploy the application in two AWS Regions. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Set up an Amazon CloudFront distribution with the S3 bucket as an origin. Deploy the", "B. Create a new S3 bucket in a second Region. Set up bidirectional S3 Cross-Region", "C. Create a new S3 bucket in a second Region Deploy the application in the second Region.", "D. Set up an S3 gateway endpoint with the S3 bucket as an origin. Deploy the application to a" ], "correct": "B. Create a new S3 bucket in a second Region. Set up bidirectional S3 Cross-Region", "explanation": "Explanation/Reference: Community vote distribution B (86%) 14%", "references": "" }, { "question": "Topic 1 An online gaming company needs to rehost its gaming platform on AWS. The company's gaming application requires high performance computing (HP C) processing and has a leaderboard that changes frequently. An Ubuntu instance that is opti mized for compute generation hosts a Node.js application for game display. Game state is tracked in an on-premises Redis instance. The company needs a migration strategy that optimiz es application performance. Which solution will meet these requirements?", "options": [ "A. Create an Auto Scaling group of m5.large Amazon E C2 Spot Instances behind an", "B. Create an Auto Scaling group of c5.large Amazon E C2 Spot Instances behind an", "C. Create an Auto Scaling group of c5.large Amazon E C2 On-Demand Instances behind an", "D. Create an Auto Scaling group of m5.large Amazon E C2 On-Demand Instances behind an" ], "correct": "C. Create an Auto Scaling group of c5.large Amazon E C2 On-Demand Instances behind an", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A solutions architect is designing an application t o accept timesheet entries from employees on their mobile devices. Timesheets will be submitted weekly, with most of the submissions occurring on Friday. The data must be stored in a format that allows payroll administrators to run monthly reports. The infrastructure must be highly availabl e and scale to match the rate of incoming data and reporting requests. Which combination of steps meets these requirements while minimizing operational overhead? (Choose two.)", "options": [ "A. Deploy the application to Amazon EC2 On-Demand In stances with load balancing across", "B. Deploy the application in a container using Amazo n Elastic Container Service (Amazon", "C. Deploy the application front end to an Amazon S3 bucket served by Amazon CloudFront.", "D. Store the timesheet submission data in Amazon Red shift. Use Amazon QuickSight to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CE (56%) BE (23%) 13% 6%", "references": "" }, { "question": "Topic 1 A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company's security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket. Which combination of steps will meet these requirem ents MOST cost-effectively? (Choose three.)", "options": [ "A. Configure AWS CloudTrail to log S3 data events.", "B. Configure S3 server access logging for the S3 buc ket.", "C. Configure Amazon S3 to send object deletion event s to Amazon Simple Email Service", "D. Configure Amazon S3 to send object deletion event s to an Amazon EventBridge event bus" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ADF (61%) BDF (38%) 1%", "references": "" }, { "question": "Topic 1 A company is building a hybrid environment that inc ludes servers in an on-premises data center and in the AWS Cloud. The company has deployed Amaz on EC2 instances in three VPCs. Each VPC is in a different AWS Region. The company has estab lished an AWS Direct. Connect connection to the data center from the Region that is closest to the data center. The company needs the servers in the on-premises da ta center to have access to the EC2 instances in all three VPCs. The servers in the on- premises data center also must have access to AWS public services. Which combination of steps will meet these requirem ents with the LEAST cost? (Choose two.)", "options": [ "A. Create a Direct Connect gateway in the Region tha t is closest to the data center. Attach the", "B. Set up additional Direct Connect connections from the on-premises data center to the", "C. Create a private VIF. Establish an AWS Site-to-Si te VPN connection over the private VIF to", "D. Create a public VIF. Establish an AWS Site-to-Sit e VPN connection over the public VIF to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (100%)", "references": "" }, { "question": "Topic 1 A company is using an organization in AWS Organizat ions to manage hundreds of AWS accounts. A solutions architect is working on a solution to p rovide baseline protection for the Open Web Application Security Project (OWASP) top 10 web app lication vulnerabilities. The solutions architect is using AWS WAF for all existing and new Amazon CloudFront distributions that are deployed within the organization. Which combination of steps should the solutions arc hitect take to provide the baseline protection? (Choose three.)", "options": [ "A. Enable AWS Config in all accounts", "B. Enable Amazon GuardDuty in all accounts", "C. Enable all features for the organization", "D. Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACD (70%) 7% 7% Other", "references": "" }, { "question": "Topic 1 A solutions architect has implemented a SAML 2.0 fe derated identity solution with their company's on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication throug h the federated identity web portal, access to the AWS environment is granted. However, when test user s attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment. Which items should the solutions architect check to ensure identity federation is properly configured? (Choose three.)", "options": [ "A. The IAM user's permissions policy has allowed the use of SAML federation for that user.", "B. The IAM roles created for the federated users' or federated groups' trust policy have set", "C. Test users are not in the AWSFederatedUsers group in the company's IdP.", "D. The web portal calls the AWS STS AssumeRoleWithSA ML API with the ARN of the SAML" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BCE (69%) B (15%) BD (15%)", "references": "" }, { "question": "Topic 1 A solutions architect needs to improve an applicati on that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application's operations i nsert records into the database. The application currently stores credentials in a text-based config uration file. The solutions architect needs to implement a soluti on so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis. Which solution will meet these requirements?", "options": [ "A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection", "B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection", "C. Create an Aurora Replica. Store the connection cr edentials as a secret in AWS Secrets", "D. Create an Aurora Replica. Store the connection cr edentials in AWS Systems Manager" ], "correct": "A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company needs to build a disaster recovery (DR) s olution for its ecommerce website. The web application is hosted on a fleet of t3.large Amazon EC2 instances and uses an Amazon RDS for MySQL DB instance. The EC2 instances are in an Auto Scaling group that extends across multiple Availability Zones. In the event of a disaster, the web application mus t fail over to the secondary environment with an RPO of 30 seconds and an RTO of 10 minutes. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region.", "B. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region.", "C. Set up a backup plan in AWS Backup to create cros s-Region backups for the EC2 instances", "D. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region." ], "correct": "B. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region.", "explanation": "Explanation/Reference: Community vote distribution B (88%) 6%", "references": "" }, { "question": "Topic 1 A company is planning a one-time migration of an on -premises MySQL database to Amazon Aurora MySQL in the us-east-1 Region. The company's curren t internet connection has limited bandwidth. The on-premises MySQL database is 60 TB in size. Th e company estimates that it will take a month to transfer the data to AWS over the current internet connection. The company needs a migration solution that will migrate the database m ore quickly. Which solution will migrate the database in the LEA ST amount of time?", "options": [ "A. Request a 1 Gbps AWS Direct Connect connection be tween the on-premises data center", "B. Use AWS DataSync with the current internet connec tion to accelerate the data transfer", "C. Order an AWS Snowball Edge device. Load the data into an Amazon S3 bucket by using the", "D. Order an AWS Snowball device. Load the data into an Amazon S3 bucket by using the S3" ], "correct": "C. Order an AWS Snowball Edge device. Load the data into an Amazon S3 bucket by using the", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A company has an application in the AWS Cloud. The application runs on a fleet of 20 Amazon EC2 instances. The EC2 instances are persistent and sto re data on multiple attached Amazon Elastic Block Store (Amazon EBS) volumes. The company must maintain backups in a separate AWS Region. The company must be able to recover the EC2 instances and their configuration w ithin 1 business day, with loss of no more than 1 day's worth of data. The company has limited staf f and needs a backup solution that optimizes operational efficiency and cost. The company alread y has created an AWS CloudFormation template that can deploy the required network confi guration in a secondary Region. Which solution will meet these requirements?", "options": [ "A. Create a second CloudFormation template that can recreate the EC2 instances in the", "B. Use Amazon Data Lifecycle Manager (Amazon DLM) to create daily multivolume snapshots", "C. Use AWS Backup to create a scheduled daily backup plan for the EC2 instances. Configure", "D. Deploy EC2 instances of the same size and configu ration to the secondary Region." ], "correct": "C. Use AWS Backup to create a scheduled daily backup plan for the EC2 instances. Configure", "explanation": "Explanation/Reference: Community vote distribution C (83%) B (17%)", "references": "" }, { "question": "Topic 1 A company is designing a new website that hosts sta tic content. The website will give users the ability to upload and download large files. Accordi ng to company requirements, all data must be encrypted in transit and at rest. A solutions archi tect is building the solution by using Amazon S3 and Amazon CloudFront. Which combination of steps will meet the encryption requirements? (Choose three.)", "options": [ "A. Turn on S3 server-side encryption for the S3 buck et that the web application uses.", "B. Add a policy attribute of \"aws:SecureTransport\": \"true\" for read and write operations in the", "C. Create a bucket policy that denies any unencrypte d operations in the S3 bucket that the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (93%) 4%", "references": "" }, { "question": "Topic 1 A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, includ ing a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production databas e must be encrypted with a key that only members of the IT security team's IAM user group ca n access. This key must be rotated on a regular basis. What should a solutions architect do in the product ion environment to meet these requirements?", "options": [ "A. Store the database credentials in AWS Systems Man ager Parameter Store by using a", "B. Encrypt the database credentials by using the AWS Key Management Service (AWS KMS)", "C. Store the database credentials in the environment variables of each Lambda function.", "D. Store the database credentials in AWS Secrets Man ager as a secret that is associated with" ], "correct": "D. Store the database credentials in AWS Secrets Man ager as a secret that is associated with", "explanation": "Explanation/Reference: Community vote distribution D (79%) A (21%)", "references": "" }, { "question": "Topic 1 An online retail company is migrating its legacy on -premises .NET application to AWS. The application runs on load-balanced frontend web serv ers, load-balanced application servers, and a Microsoft SQL Server database. The company wants to use AWS managed services where possible and does not want to rewrite the application. A solutions architect needs to imp lement a solution to resolve scaling issues and minimize licensing costs as the application scales. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Deploy Amazon EC2 instances in an Auto Scaling gr oup behind an Application Load", "B. Create images of all the servers by using AWS Dat abase Migration Service (AWS DMS).", "C. Containerize the web frontend tier and the applic ation tier. Provision an Amazon Elastic", "D. Separate the application functions into AWS Lambd a functions. Use Amazon API Gateway" ], "correct": "A. Deploy Amazon EC2 instances in an Auto Scaling gr oup behind an Application Load", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A software-as-a-service (SaaS) provider exposes API s through an Application Load Balancer (ALB). The ALB connects to an Amazon Elastic Kubernetes Se rvice (Amazon EKS) cluster that is deployed in the us-east-1 Region. The exposed APIs contain u sage of a few non-standard REST methods: LINK, UNLINK, LOCK, and UNLOCK. Users outside the United States are reporting long and inconsistent response times for these APIs. A solutions architect needs to resolve this problem with a solution that minimizes operational overhead. Which solution meets these requirements?", "options": [ "A. Add an Amazon CloudFront distribution. Configure the ALB as the origin.", "C. Add an accelerator in AWS Global Accelerator. Con figure the ALB as the origin.", "D. Deploy the APIs to two additional AWS Regions: eu -west-1 and ap-southeast-2. Add" ], "correct": "C. Add an accelerator in AWS Global Accelerator. Con figure the ALB as the origin.", "explanation": "Explanation/Reference: Community vote distribution C (69%) B (24%) 5%", "references": "" }, { "question": "Topic 1 A company runs an IoT application in the AWS Cloud. The company has millions of sensors that collect data from houses in the United States. The sensors use the MQTT protocol to connect and send data to a custom MQTT broker. The MQTT broker stores the data on a single Amazon EC2 instance. The sensors connect to the broker through the domain named iot.example.com. The company uses Amazon Route 53 as its DNS service. Th e company stores the data in Amazon DynamoDB. On several occasions, the amount of data has overlo aded the MQTT broker and has resulted in lost sensor data. The company must improve the reliabili ty of the solution. Which solution will meet these requirements?", "options": [ "A. Create an Application Load Balancer (ALB) and an Auto Scaling group for the MQTT", "B. Set up AWS IoT Core to receive the sensor data. C reate and configure a custom domain to", "C. Create a Network Load Balancer (NLB). Set the MQT T broker as the target. Create an AWS", "D. Set up AWS IoT Greengrass to receive the sensor d ata. Update the DNS record in Route 53" ], "correct": "C. Create a Network Load Balancer (NLB). Set the MQT T broker as the target. Create an AWS", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has Linux-based Amazon EC2 instances. Use rs must access the instances by using SSH with EC2 SSH key pairs. Each machine requires a unique EC2 key pair. The company wants to implement a key rotation polic y that will, upon request, automatically rotate all the EC2 key pairs and keep the keys in a secure ly encrypted place. The company will accept less than 1 minute of downtime during key rotation. Which solution will meet these requirements?", "options": [ "A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to", "B. Store all the keys in Parameter Store, a capabili ty of AWS Systems Manager, as a string.", "C. Import the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure", "D. Add all the EC2 instances to Fleet Manager, a cap ability of AWS Systems Manager. Define" ], "correct": "A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to", "explanation": "Explanation/Reference: Community vote distribution A (80%) D (20%)", "references": "" }, { "question": "Topic 1 A company wants to migrate to AWS. The company is r unning thousands of VMs in a VMware ESXi environment. The company has no configuration manag ement database and has little knowledge about the utilization of the VMware portfolio. A solutions architect must provide the company with an accurate inventory so that the company can plan for a cost-effective migration. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Use AWS Systems Manager Patch Manager to deploy M igration Evaluator to each VM.", "B. Export the VMware portfolio to a .csv file. Check the disk utilization for each server. \u00b7", "C. Deploy the Migration Evaluator agentless collecto r to the ESXi hypervisor. Review the", "D. Deploy the AWS Application Migration Service Agen t to each VM. When the data is" ], "correct": "C. Deploy the Migration Evaluator agentless collecto r to the ESXi hypervisor. Review the", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company runs a microservice as an AWS Lambda func tion. The microservice writes data to an on-premises SQL database that supports a limited nu mber of concurrent connections. When the number of Lambda function invocations is too high, the database crashes and causes application downtime. The company has an AWS Direct Connect con nection between the company's VPC and the on-premises data center. The company wants to p rotect the database from crashes. Which solution will meet these requirements?", "options": [ "A. Write the data to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the", "B. Create a new Amazon Aurora Serverless DB cluster. Use AWS DataSync to migrate the data", "C. Create an Amazon RDS Proxy DB instance. Attach th e RDS Proxy DB instance to the", "D. Write the data to an Amazon Simple Notification S ervice (Amazon SNS) topic. Invoke the", "A. Migrate to Amazon CloudWatch dashboards. Recreate the dashboards to match the", "B. Create an Amazon Managed Grafana workspace. Confi gure a new Amazon CloudWatch", "C. Create an AMI that has Grafana pre-installed. Sto re the existing dashboards in Amazon", "D. Configure AWS Backup to back up the EC2 instance that runs Grafana once each hour." ], "correct": "B. Create an Amazon Managed Grafana workspace. Confi gure a new Amazon CloudWatch", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company needs to migrate its customer transaction s database from on premises to AWS. The database resides on an Oracle DB instance that runs on a Linux server. According to a new security requirement, the company must rotate the database p assword each year. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Convert the database to Amazon DynamoDB by using the AWS Schema Conversion Tool", "B. Migrate the database to Amazon RDS for Oracle. St ore the password in AWS Secrets", "C. Migrate the database to an Amazon EC2 instance. U se AWS Systems Manager Parameter", "D. Migrate the database to Amazon Neptune by using t he AWS Schema Conversion Tool" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A solutions architect is designing an AWS account s tructure for a company that consists of multiple teams. All the teams will work in the same AWS Region. The company needs a VPC that is connected to the on-premises network. The company e xpects less than 50 Mbps of total traffic to and from the on-premises network. Which combination of steps will meet these requirem ents MOST cost-effectively? (Choose two.)", "options": [ "A. Create an AWS CloudFormation template that provis ions a VPC and the required subnets.", "B. Create an AWS CloudFormation template that provis ions a VPC and the required subnets.", "C. Use AWS Transit Gateway along with an AWS Site-to -Site VPN for connectivity to the on-", "D. Use AWS Site-to-Site VPN for connectivity to the on-premises network." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (70%) BC (22%) 7%", "references": "" }, { "question": "Topic 1 A solutions architect at a large company needs to s et up network security for outbound traffic to the internet from all AWS accounts within an organi zation in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts ro ute to each other by using a centralized AWS Transit Gateway. Each account has both an inter net gateway and a NAT gateway for outbound traffic to the internet. The company deplo ys resources only into a single AWS Region. The company needs the ability to add centrally mana ged rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organiz ation. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone. Which solution meets these requirements?", "options": [ "A. Create a new VPC for outbound traffic to the inte rnet. Connect the existing transit gateway \u00b7", "B. Create a new VPC for outbound traffic to the inte rnet. Connect the existing transit gateway", "C. Create an AWS Network Firewall firewall for rule- based filtering in each AWS account.", "D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2" ], "correct": "D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company uses a load balancer to distribute traffi c to Amazon EC2 instances in a single Availability Zone. The company is concerned about s ecurity and wants a solutions architect to re- architect the solution to meet the following requir ements: \u00b7 Inbound requests must be filtered for common vuln erability attacks. \u00b7 Rejected requests must be sent to a third-party a uditing application. \u00b7 All resources should be highly available. Which solution meets these requirements?", "options": [ "A. Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application", "B. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets.", "C. Configure an Application Load Balancer (ALB) alon g with a target group adding the EC2", "D. Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application" ], "correct": "B. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets.", "explanation": "Explanation/Reference: Community vote distribution D (83%) Other", "references": "" }, { "question": "Topic 1 A company is running an application in the AWS Clou d. The application consists of microservices that run on a fleet of Amazon EC2 instances in mult iple Availability Zones behind an Application Load Balancer. The company recently added a new RES T API that was implemented in Amazon API Gateway. Some of the older microservices that run o n EC2 instances need to call this new API. The company does not want the API to be accessible from the public internet and does not want proprietary data to traverse the public internet. What should a solutions architect do to meet these requirements?", "options": [ "A. Create an AWS Site-to-Site VPN connection between the VPC and the API Gateway. Use", "B. Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow", "C. Modify the API Gateway to use IAM authentication. Update the IAM policy for the IAM role", "D. Create an accelerator in AWS Global Accelerator, and connect the accelerator to the API" ], "correct": "C. Modify the API Gateway to use IAM authentication. Update the IAM policy for the IAM role", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has set up its entire infrastructure on A WS. The company uses Amazon EC2 instances to host its ecommerce website and uses Amazon S3 to store static data. Three engineers at the company handle the cloud administration and develop ment through one AWS account. Occasionally, an engineer alters an EC2 security gr oup configuration of another engineer and causes noncompliance issues in the environment. A solutions architect must set up a system that tra cks changes that the engineers make. The system must send alerts when the engineers make non compliant changes to the security settings for the EC2 instances. What is the FASTEST way for the solutions architect to meet these requirements?", "options": [ "A. Set up AWS Organizations for the company. Apply S CPs to govern and track noncompliant", "B. Enable AWS CloudTrail to capture the changes to E C2 security groups. Enable Amazon", "C. Enable SCPs on the AWS account to provide alerts when noncompliant security group", "D. Enable AWS Config on the EC2 security groups to t rack any noncompliant changes. Send" ], "correct": "B. Enable AWS CloudTrail to capture the changes to E C2 security groups. Enable Amazon", "explanation": "Explanation/Reference: Community vote distribution D (81%) B (19%)", "references": "" }, { "question": "Topic 1 A company has IoT sensors that monitor traffic patt erns throughout a large city. The company wants to read and collect data from the sensors and perform aggregations on the data. A solutions architect designs a solution in which t he IoT devices are streaming to Amazon Kinesis Data Streams. Several applications are reading from the stream. However, several consumers are experiencing throttling and are periodically encoun tering a ReadProvisionedThroughputExceeded error. Which actions should the solutions architect take t o resolve this issue? (Choose three.)", "options": [ "A. Reshard the stream to increase the number of shar ds in the stream.", "B. Use the Kinesis Producer Library (KPL). Adjust th e polling frequency.", "C. Use consumers with the enhanced fan-out feature.", "D. Reshard the stream to reduce the number of shards in the stream." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (100%)", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations to manage its AWS accounts. The company needs a list of all its Amazon EC2 instances that have underutilized CP U or memory usage. The company also needs recommendations for how to downsize these underutil ized instances. Which solution will meet these requirements with th e LEAST effort?", "options": [ "A. Install a CPU and memory monitoring tool from AWS Marketplace on all the EC2 instances.", "B. Install the Amazon CloudWatch agent on all the EC 2 instances by using AWS Systems", "C. Install the Amazon CloudWatch agent on all the EC 2 instances by using AWS Systems", "D. Install the Amazon CloudWatch agent on all the EC 2 instances by using AWS Systems" ], "correct": "B. Install the Amazon CloudWatch agent on all the EC 2 instances by using AWS Systems", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company wants to run a custom network analysis so ftware package to inspect traffic as traffic leaves and enters a VPC. The company has deployed t he solution by using AWS CloudFormation on three Amazon EC2 instances in an Auto Scaling gr oup. All network routing has been established to direct traffic to the EC2 instances. Whenever the analysis software stops working, the A uto Scaling group replaces an instance. The network routes are not updated when the instance re placement occurs. Which combination of steps will resolve this issue? (Choose three.)", "options": [ "A. Create alarms based on EC2 status check metrics t hat will cause the Auto Scaling group to", "B. Update the CloudFormation template to install the Amazon CloudWatch agent on the EC2", "C. Update the CloudFormation template to install AWS Systems Manager Agent on the EC2", "D. Create an alarm for the custom metric in Amazon C loudWatch for the failure scenarios." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDE (100%)", "references": "" }, { "question": "Topic 1 A company is developing a new on-demand video appli cation that is based on microservices. The application will have 5 million users at launch and will have 30 million users after 6 months. The company has deployed the application on Amazon Elas tic Container Service (Amazon ECS) on AWS Fargate. The company developed the application by using ECS services that use the HTTPS protocol. A solutions architect needs to implement updates to the application by using blue/green deployments. The solution must distribute traffic t o each ECS service through a load balancer. The application must automatically adjust the number of tasks in response to an Amazon CloudWatch alarm. Which solution will meet these requirements?", "options": [ "A. Configure the ECS services to use the blue/green deployment type and a Network Load", "B. Configure the ECS services to use the blue/green deployment type and a Network Load", "C. Configure the ECS services to use the blue/green deployment type and an Application Load", "D. Configure the ECS services to use the blue/green deployment type and an Application Load" ], "correct": "A. Configure the ECS services to use the blue/green deployment type and a Network Load", "explanation": "Explanation Explanation/Reference: Community vote distribution D (90%) 10%", "references": "" }, { "question": "Topic 1 A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group. The company uses Amazon Elastic Container Registry (Amazon ECR) to store its container images. When a new image version is uploaded, the new image version receives a unique tag. The company needs a solution that inspects new imag e versions for common vulnerabilities and exposures. The solution must automatically delete n ew image tags that have Critical or High severity findings. The solution also must notify th e development team when such a deletion occurs. Which solution meets these requirements?", "options": [ "A. Configure scan on push on the repository. Use Ama zon EventBridge to invoke an AWS Step", "B. Configure scan on push on the repository. Configu re scan results to be pushed to an", "C. Schedule an AWS Lambda function to start a manual image scan every hour. Configure", "D. Configure periodic image scan on the repository. Configure scan results to be added to an" ], "correct": "C. Schedule an AWS Lambda function to start a manual image scan every hour. Configure", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company runs many workloads on AWS and uses AWS O rganizations to manage its accounts. The workloads are hosted on Amazon EC2. AWS Fargate . and AWS Lambda. Some of the workloads have unpredictable demand. Accounts recor d high usage in some months and low usage in other months. The company wants to optimize its compute costs ove r the next 3 years. A solutions architect obtains a 6-month average for each of the accounts across the organization to calculate usage. Which solution will provide the MOST cost savings f or all the organization's compute usage?", "options": [ "A. Purchase Reserved Instances for the organization to match the size and number of the", "B. Purchase a Compute Savings Plan for the organizat ion from the management account by", "C. Purchase Reserved Instances for each member accou nt that had high EC2 usage", "D. Purchase an EC2 Instance Savings Plan for each me mber account from the management" ], "correct": "B. Purchase a Compute Savings Plan for the organizat ion from the management account by", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has hundreds of AWS accounts. The company uses an organization in AWS Organizations to manage all the accounts. The compa ny has turned on all features. A finance team has allocated a daily budget for AWS costs. The finance team must receive an email notification if the organization's AWS costs exceed 80% of the allocated budget. A solutions architect needs to implement a solution to track th e costs and deliver the notifications. Which solution will meet these requirements?", "options": [ "A. In the organization's management account, use AWS Budgets to create a budget that has a", "B. In the organization's management account, set up the organizational view feature for AWS", "C. Register the organization with AWS Control Tower. Activate the optional cost control", "D. Configure the member accounts to save a daily AWS Cost and Usage Report to an Amazon" ], "correct": "A. In the organization's management account, use AWS Budgets to create a budget that has a", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company provides auction services for artwork and has users across North America and Europe. The company hosts its application in Amazon EC2 ins tances in the us-east-1 Region. Artists upload photos of their work as large-size. high-res olution image files from their mobile phones to a centralized Amazon S3 bucket created in the us-east -1 Region. The users in Europe are reporting slow performance for their image uploads. How can a solutions architect improve the performan ce of the image upload process?", "options": [ "A. Redeploy the application to use S3 multipart uplo ads.", "B. Create an Amazon CloudFront distribution and poin t to the application as a custom origin.", "C. Configure the buckets to use S3 Transfer Accelera tion.", "D. Create an Auto Scaling group for the EC2 instance s and create a scaling policy." ], "correct": "C. Configure the buckets to use S3 Transfer Accelera tion.", "explanation": "Explanation/Reference: Community vote distribution C (93%) 7%", "references": "" }, { "question": "Topic 1 A company wants to containerize a multi-tier web ap plication and move the application from an on- premises data center to AWS. The application includ es web. application, and database tiers. The company needs to make the application fault toleran t and scalable. Some frequently accessed data must always be available across application se rvers. Frontend web servers need session persistence and must scale to meet increases in tra ffic. Which solution will meet these requirements with th e LEAST ongoing operational overhead?", "options": [ "A. Run the application on Amazon Elastic Container S ervice (Amazon ECS) on AWS Fargate.", "B. Run the application on Amazon Elastic Container S ervice (Amazon ECS) on Amazon EC2.", "C. Run the application on Amazon Elastic Kubernetes Service (Amazon EKS). Configure", "D. Deploy the application on Amazon Elastic Kubernet es Service (Amazon EKS). Configure" ], "correct": "B. Run the application on Amazon Elastic Container S ervice (Amazon ECS) on Amazon EC2.", "explanation": "Explanation/Reference: Community vote distribution D (88%) 6%", "references": "" }, { "question": "Topic 1 A solutions architect is planning to migrate critic al Microsoft SQL Server databases to AWS. Because the databases are legacy systems, the solut ions architect will move the databases to a modern data architecture. The solutions architect m ust migrate the databases with near-zero downtime. Which solution will meet these requirements?", "options": [ "A. Use AWS Application Migration Service and the AWS Schema Conversion Tool (AWS SCT).", "B. Use AWS Database Migration Service (AWS DMS) to r ehost the database. Set Amazon S3", "C. Use native database high availability tools. Conn ect the source system to an Amazon RDS", "D. Use AWS Application Migration Service. Rehost the database server on Amazon EC2. When" ], "correct": "C. Use native database high availability tools. Conn ect the source system to an Amazon RDS", "explanation": "Explanation/Reference: Community vote distribution C (64%) B (31%) 6%", "references": "" }, { "question": "Topic 1 A company's solutions architect is analyzing costs of a multi-application environment. The environment is deployed across multiple Availabilit y Zones in a single AWS Region. After a recent acquisition, the company manages two organizations in AWS Organizations. The company has created multiple service provider applications as A WS PrivateLink-powered VPC endpoint services in one organization. The company has created multip le service consumer applications in the other organization. Data transfer charges are much higher than the comp any expected, and the solutions architect needs to reduce the costs. The solutions architect must recommend guidelines for developers to follow when they deploy services. These guidelines must minimize data transfer charges for the whole environment. Which guidelines meet these requirements? (Choose t wo.)", "options": [ "A. Use AWS Resource Access Manager to share the subn ets that host the service provider", "B. Place the service provider applications and the s ervice consumer applications in AWS", "C. Turn off cross-zone load balancing for the Networ k Load Balancer in all service provider", "D. Ensure that service consumer compute resources us e the Availability Zone-specific" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (46%) CD (25%) AD (25%) 3%", "references": "" }, { "question": "Topic 1 A company has an on-premises Microsoft SQL Server d atabase that writes a nightly 200 GB export to a local drive. The company wants to move the bac kups to more robust cloud storage on Amazon S3. The company has set up a 10 Gbps AWS Direct Con nect connection between the on-premises data center and AWS. Which solution meets these requirements MOST cost-e ffectively?", "options": [ "A. Create a new S3 bucket. Deploy an AWS Storage Gat eway file gateway within the VPC that", "C. Create an Amazon FSx for Windows File Server Mult i-AZ file system within the VPC that is", "D. Create a new S3 bucket. Deploy an AWS Storage Gat eway volume gateway within the VPC" ], "correct": "A. Create a new S3 bucket. Deploy an AWS Storage Gat eway file gateway within the VPC that", "explanation": "Explanation/Reference: Community vote distribution A (95%) 5%", "references": "" }, { "question": "Topic 1 A company needs to establish a connection from its on-premises data center to AWS. The company needs to connect all of its VPCs that are l ocated in different AWS Regions with transitive routing capabilities between VPC networks. The comp any also must reduce network outbound traffic costs, increase bandwidth throughput, and p rovide a consistent network experience for end users. Which solution will meet these requirements?", "options": [ "A. Create an AWS Site-to-Site VPN connection between the on-premises data center and a", "B. Create an AWS Direct Connect connection between t he on-premises data center and AWS.", "C. Create an AWS Site-to-Site VPN connection between the on-premises data center and a", "D. Create an AWS Direct Connect connection between t he on-premises data center and AWS." ], "correct": "B. Create an AWS Direct Connect connection between t he on-premises data center and AWS.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is migrating its development and producti on workloads to a new organization in AWS Organizations. The company has created a separate m ember account for development and a separate member account for production. Consolidate d billing is linked to the management account. In the management account, a solutions arc hitect needs to create an IAM user that can stop or terminate resources in both member accounts . Which solution will meet this requirement?", "options": [ "A. Create an IAM user and a cross-account role in th e management account. Configure the", "B. Create an IAM user in each member account. In the management account, create a cross-", "C. Create an IAM user in the management account. In the member accounts, create an IAM", "D. Create an IAM user in the management account. In the member accounts, create cross-" ], "correct": "D. Create an IAM user in the management account. In the member accounts, create cross-", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company wants to use AWS for disaster recovery fo r an on-premises application. The company has hundreds of Windows-based servers that run the application. All the servers mount a common share. The company has an RTO of 15 minutes and an RPO of 5 minutes. The solution must support native failover and fallback capabilities. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Create an AWS Storage Gateway File Gateway. Sched ule daily Windows server backups.", "B. Create a set of AWS CloudFormation templates to c reate infrastructure. Replicate all data", "C. Create an AWS Cloud Development Kit (AWS CDK) pip eline to stand up a multi-site active-", "D. Use AWS Elastic Disaster Recovery to replicate th e on-premises servers. Replicate data to" ], "correct": "B. Create a set of AWS CloudFormation templates to c reate infrastructure. Replicate all data", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company has built a high performance computing (H PC) cluster in AWS for a tightly coupled workload that generates a large number of shared fi les stored in Amazon EFS. The cluster was performing well when the number of Amazon EC2 insta nces in the cluster was 100. However, when the company increased the cluster size to 1.000 EC2 instances, overall performance was well below expectations. Which collection of design choices should a solutio ns architect make to achieve the maximum performance from the HPC cluster? (Choose three.)", "options": [ "A. Ensure the HPC cluster is launched within a singl e Availability Zone.", "B. Launch the EC2 instances and attach elastic netwo rk interfaces in multiples of four.", "C. Select EC2 instance types with an Elastic Fabric Adapter (EFA) enabled.", "D. Ensure the cluster is launched across multiple Av ailability Zones." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (89%) 11%", "references": "" }, { "question": "Topic 1 A company is designing an AWS Organizations structu re. The company wants to standardize a process to apply tags across the entire organizatio n. The company will require tags with specific values when a user creates a new resource. Each of the company's OUs will have unique tag values. Which solution will meet these requirements? A. Use an SCP to deny the creation of resources that do not have the required tags. Create a \u00b7 tag policy that includes the tag values that the co mpany has assigned to each OU. Attach the tag policies to the OUs.", "options": [ "B. Use an SCP to deny the creation of resources that do not have the required tags. Create a", "C. Use an SCP to allow the creation of resources onl y when the resources have the required", "D. Use an SCP to deny the creation of resources that do not have the required tags. Define the" ], "correct": "C. Use an SCP to allow the creation of resources onl y when the resources have the required", "explanation": "Explanation/Reference: Community vote distribution A (82%) B (18%)", "references": "" }, { "question": "Topic 1 A company has more than 10,000 sensors that send da ta to an on-premises Apache Kafka server by using the Message Queuing Telemetry Transport (M QTT) protocol. The on-premises Kafka server transforms the data and then stores the resu lts as objects in an Amazon S3 bucket. Recently, the Kafka server crashed. The company los t sensor data while the server was being restored. A solutions architect must create a new d esign on AWS that is highly available and scalable to prevent a similar occurrence. Which solution will meet these requirements?", "options": [ "A. Launch two Amazon EC2 instances to host the Kafka server in an active/standby", "B. Migrate the on-premises Kafka server to Amazon Ma naged Streaming for Apache Kafka", "C. Deploy AWS IoT Core, and connect it to an Amazon Kinesis Data Firehose delivery stream.", "D. Deploy AWS IoT Core, and launch an Amazon EC2 ins tance to host the Kafka server." ], "correct": "A. Launch two Amazon EC2 instances to host the Kafka server in an active/standby", "explanation": "Explanation Explanation/Reference: Community vote distribution C (84%) B (16%)", "references": "" }, { "question": "Topic 1 A company recently started hosting new application workloads in the AWS Cloud. The company is using Amazon EC2 instances. Amazon Elastic File Sys tem (Amazon EFS) file systems, and Amazon RDS DB instances. To meet regulatory and business requirements, the c ompany must make the following changes for data backups: \u00b7 Backups must be retained based on custom daily, w eekly, and monthly requirements. \u00b7 Backups must be replicated to at least one other AWS Region immediately after capture. \u00b7 The backup solution must provide a single source of backup status across the AWS environment. \u00b7 The backup solution must send immediate notificat ions upon failure of any resource backup. Which combination of steps will meet these requirem ents with the LEAST amount of operational overhead? (Choose three.)", "options": [ "A. Create an AWS Backup plan with a backup rule for each of the retention requirements.", "B. Configure an AWS Backup plan to copy backups to a nother Region.", "C. Create an AWS Lambda function to replicate backup s to another Region and send", "D. Add an Amazon Simple Notification Service (Amazon SNS) topic to the backup plan to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABD (100%)", "references": "" }, { "question": "Topic 1 A company is developing a gene reporting device tha t will collect genomic information to assist researchers with collecting large samples of data f rom a diverse population. The device will push 8 KB of genomic data every second to a data platform that will need to process and analyze the data and provide information back to researchers. The da ta platform must meet the following requirements: \u00b7 Provide near-real-time analytics of the inbound g enomic data \u00b7 Ensure the data is flexible, parallel, and durabl e \u00b7 Deliver results of processing to a data warehouseWhich strategy should a solutions architect use to meet these requirements?", "options": [ "A. Use Amazon Kinesis Data Firehose to collect the i nbound sensor data, analyze the data", "B. Use Amazon Kinesis Data Streams to collect the in bound sensor data, analyze the data", "C. Use Amazon S3 to collect the inbound device data, analyze the data from Amazon SQS", "D. Use an Amazon API Gateway to put requests into an Amazon SQS queue, analyze the data" ], "correct": "B. Use Amazon Kinesis Data Streams to collect the in bound sensor data, analyze the data", "explanation": "Explanation/Reference: Community vote distribution B (94%) 6%", "references": "" }, { "question": "Topic 1 A solutions architect needs to define a reference a rchitecture for a solution for three-tier applications with web. application, and NoSQL data layers. The reference architecture must meet the following requirements: \u00b7 High availability within an AWS Region \u00b7 Able to fail over in 1 minute to another AWS Regi on for disaster recovery \u00b7 Provide the most efficient solution while minimiz ing the impact on the user experience Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Use an Amazon Route 53 weighted routing policy se t to 100/0 across the two selected", "B. Use an Amazon Route 53 failover routing policy fo r failover from the primary Region to the", "C. Use a global table within Amazon DynamoDB so data can be accessed in the two selected", "D. Back up data from an Amazon DynamoDB table in the primary Region every 60 minutes and" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BCE (93%) 7%", "references": "" }, { "question": "Topic 1 A company manufactures smart vehicles. The company uses a custom application to collect vehicle data. The vehicles use the MQTT protocol to connect to the application. The company processes the data in 5-minute intervals. The compa ny then copies vehicle telematics data to on- premises storage. Custom applications analyze this data to detect anomalies. The number of vehicles that send data grows constan tly. Newer vehicles generate high volumes of data. The on-premises storage solution is not able to scale for peak traffic, which results in data loss. The company must modernize the solution and m igrate the solution to AWS to resolve the scaling challenges. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Use AWS IoT Greengrass to send the vehicle data t o Amazon Managed Streaming for", "B. Use AWS IoT Core to receive the vehicle data. Con figure rules to route data to an Amazon", "C. Use AWS IoT FleetWise to collect the vehicle data . Send the data to an Amazon Kinesis", "D. Use Amazon MQ for RabbitMQ to collect the vehicle data. Send the data to an Amazon" ], "correct": "C. Use AWS IoT FleetWise to collect the vehicle data . Send the data to an Amazon Kinesis", "explanation": "Explanation/Reference: Community vote distribution B (82%) Other", "references": "" }, { "question": "Topic 1 During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate inst ances of this security vulnerability. Which solution will ensure that the credentials are appropriately secured automatically?", "options": [ "A. Run a script nightly using AWS Systems Manager Ru n Command to search for credentials", "B. Use a scheduled AWS Lambda function to download a nd scan the application code from", "C. Configure Amazon Macie to scan for credentials in CodeCommit repositories. If", "D. Configure a CodeCommit trigger to invoke an AWS L ambda function to scan new code" ], "correct": "A. Run a script nightly using AWS Systems Manager Ru n Command to search for credentials", "explanation": "Explanation/Reference: Community vote distribution D (91%) 9%", "references": "" }, { "question": "Topic 1 A company has a data lake in Amazon S3 that needs t o be accessed by hundreds of applications across many AWS accounts. The company's information security policy states that the S3 bucket must not be accessed over the public internet and t hat each application should have the minimum permissions necessary to function. To meet these requirements, a solutions architect p lans to use an S3 access point that is restricted to specific VPCs for each application. Which combination of steps should the solutions arc hitect take to implement this solution? (Choose two.)", "options": [ "A. Create an S3 access point for each application in the AWS account that owns the S3", "B. Create an interface endpoint for Amazon S3 in eac h application's VPC. Configure the", "C. Create a gateway endpoint for Amazon S3 in each a pplication's VPConfigure the endpoint", "D. Create an S3 access point for each application in each AWS account and attach the access" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (63%) AB (24%) 8%", "references": "" }, { "question": "Topic 1 A company has developed a hybrid solution between i ts data center and AWS. The company uses Amazon VPC and Amazon EC2 instances that send appli cation logs to Amazon CloudWatch. The EC2 instances read data from multiple relational da tabases that are hosted on premises. The company wants to monitor which EC2 instances ar e connected to the databases in near-real time. The company already has a monitoring solution that uses Splunk on premises. A solutions architect needs to determine how to send networking traffic to Splunk. How should the solutions architect meet these requi rements?", "options": [ "A. Enable VPC flows logs, and send them to CloudWatc h. Create an AWS Lambda function to", "B. Create an Amazon Kinesis Data Firehose delivery s tream with Splunk as the destination.", "C. Ask the company to log every request that is made to the databases along with the EC2", "D. Send the CloudWatch logs to an Amazon Kinesis dat a stream with Amazon Kinesis Data" ], "correct": "A. Enable VPC flows logs, and send them to CloudWatc h. Create an AWS Lambda function to", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has five development teams that have each created five AWS accounts to develop and host applications. To track spending, the developme nt teams log in to each account every month, record the current cost from the AWS Billing and Co st Management console, and provide the information to the company's finance team. The company has strict compliance requirements and needs to ensure that resources are created only in AWS Regions in the United States. However, some resources have been created in other Regions. A solutions architect needs to implement a solution that gives the finance team the ability to track and consolidate expenditures for all the accounts. The solution also must ensure that the company can create resources only in Regions in the United States. Which combination of steps will meet these requirem ents in the MOST operationally efficient way? (Choose three.)", "options": [ "A. Create a new account to serve as a management acc ount. Create an Amazon S3 bucket for", "B. Create a new account to serve as a management acc ount. Deploy an organization in AWS", "C. Create an OU that includes all the development te ams. Create an SCP that allows the", "D. Create an OU that includes all the development te ams. Create an SCP that denies the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDE (83%) Other", "references": "" }, { "question": "Topic 1 A company needs to create and manage multiple AWS a ccounts for a number of departments from a central location. The security team requires read -only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team. How should a solutions architect meet these require ments?", "options": [ "A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-", "B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only", "C. Ask the security team to use AWS Security Token S ervice (AWS STS) to call the", "D. Ask the security team to use AWS Security Token S ervice (AWS STS) to call the" ], "correct": "B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A large company runs workloads in VPCs that are dep loyed across hundreds of AWS accounts. Each VPC consists of public subnets and private sub nets that span across multiple Availability Zones. NAT gateways are deployed in the public subn ets and allow outbound connectivity to the internet from the private subnets. A solutions architect is working on a hub-and-spoke design. All private subnets in the spoke VPCs must route traffic to the internet through an egres s VPC. The solutions architect already has deployed a NAT gateway in an egress VPC in a centra l AWS account. Which set of additional steps should the solutions architect take to meet these requirements?", "options": [ "A. Create peering connections between the egress VPC and the spoke VPCs. Configure the", "B. Create a transit gateway, and share it with the e xisting AWS accounts. Attach existing", "C. Create a transit gateway in every account. Attach the NAT gateway to the transit gateways.", "D. Create an AWS PrivateLink connection between the egress VPC and the spoke VPCs.", "A. Use AWS Firewall Manager to create a security gro up and security group policy to deny", "B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block.", "C. Use AWS Firewall Manager to create a security gro up and security group policy to allow", "D. Create an AWS WAF web ACL with an IP set match ru le, and set the rule action to Block." ], "correct": "B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company operates an on-premises software-as-a-ser vice (SaaS) solution that ingests several files daily. The company provides multiple public S FTP endpoints to its customers to facilitate the file transfers. The customers add the SFTP endpoint IP addresses to their firewall allow list for outbound traffic. Changes to the SFTP endpoint IP a ddresses are not permitted. The company wants to migrate the SaaS solution to A WS and decrease the operational overhead of the file transfer service. Which solution meets these requirements?", "options": [ "A. Register the customer-owned block of IP addresses in the company's AWS account. Create", "B. Add a subnet containing the customer-owned block of IP addresses to a VPC. Create", "C. Register the customer-owned block of IP addresses with Amazon Route 53. Create alias" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has a new application that needs to run o n five Amazon EC2 instances in a single AWS Region. The application requires high-throughput, l ow-latency network connections between all of the EC2 instances where the application will run. T here is no requirement for the application to be fault tolerant. Which solution will meet these requirements?", "options": [ "A. Launch five new EC2 instances into a cluster plac ement group. Ensure that the EC2", "B. Launch five new EC2 instances into an Auto Scalin g group in the same Availability Zone.", "C. Launch five new EC2 instances into a partition pl acement group. Ensure that the EC2", "D. Launch five new EC2 instances into a spread place ment group. Attach an extra elastic" ], "correct": "A. Launch five new EC2 instances into a cluster plac ement group. Ensure that the EC2", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is creating a REST API to share informati on with six of its partners based in the United States. The company has created an Amazon API Gatew ay Regional endpoint. Each of the six partners will access the API once per day to post d aily sales figures. After initial deployment, the company observes 1,00 0 requests per second originating from 500 different IP addresses around the world. The compan y believes this traffic is originating from a botnet and wants to secure its API while minimizing cost. Which approach should the company take to secure it s API?", "options": [ "A. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF", "B. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF", "C. Create an AWS WAF web ACL with a rule to allow ac cess to the IP addresses used by the", "D. Create an AWS WAF web ACL with a rule to allow ac cess to the IP addresses used by the" ], "correct": "C. Create an AWS WAF web ACL with a rule to allow ac cess to the IP addresses used by the", "explanation": "Explanation/Reference: Community vote distribution D (96%) 4%", "references": "" }, { "question": "Topic 1 A company uses an Amazon Aurora PostgreSQL DB clust er for applications in a single AWS Region. The company's database team must monitor al l data activity on all the databases. Which solution will achieve this goal?", "options": [ "A. Set up an AWS Database Migration Service (AWS DMS ) change data capture (CDC) task.", "B. Start a database activity stream on the Aurora DB cluster to capture the activity stream in", "C. Start a database activity stream on the Aurora DB cluster to push the activity stream to an", "D. Set up an AWS Database Migration Service (AWS DMS ) change data capture (CDC) task." ], "correct": "D. Set up an AWS Database Migration Service (AWS DMS ) change data capture (CDC) task.", "explanation": "Explanation Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 An entertainment company recently launched a new ga me. To ensure a good experience for players during the launch period, the company deplo yed a static quantity of 12 r6g.16xlarge (memory optimized) Amazon EC2 instances behind a Ne twork Load Balancer. The company's operations team used the Amazon CloudWatch agent an d a custom metric to include memory utilization in its monitoring strategy. Analysis of the CloudWatch metrics from the launch period showed consumption at about one quarter of the CPU and memory that the company expe cted. Initial demand for the game has subsided and has become more variable. The company decides to use an Auto Scaling group that monitors the CPU and memory consumption to dynamica lly scale the instance fleet. A solutions architect needs to configure the Auto Scaling group to meet demand in the most cost-effective way. Which solution will meet these requirements?", "options": [ "A. Configure the Auto Scaling group to deploy c6g.4x large (compute optimized) instances.", "B. Configure the Auto Scaling group to deploy m6g.4x large (general purpose) instances.", "C. Configure the Auto Scaling group to deploy r6g.4x large (memory optimized) instances.", "D. Configure the Auto Scaling group to deploy r6g.8x large (memory optimized) instances." ], "correct": "D. Configure the Auto Scaling group to deploy r6g.8x large (memory optimized) instances.", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A financial services company loaded millions of his torical stock trades into an Amazon DynamoDB table. The table uses on-demand capacity mode. Once each day at midnight, a few million new records are loaded into the table. Application read activity against the table happens in bursts throughout the day. and a limited set of keys are r epeatedly looked up. The company needs to reduce costs associated with DynamoDB. Which strategy should a solutions architect recomme nd to meet this requirement?", "options": [ "A. Deploy an Amazon ElastiCache cluster in front of the DynamoDB table", "B. Deploy DynamoDB Accelerator (DAX). Configure Dyna moDB auto scaling. Purchase", "C. Use provisioned capacity mode. Purchase Savings P lans in Cost Explorer.", "D. Deploy DynamoDB Accelerator (DAX). Use provisione d capacity mode. Configure" ], "correct": "A. Deploy an Amazon ElastiCache cluster in front of the DynamoDB table", "explanation": "Explanation/Reference: Community vote distribution D (83%) Other", "references": "" }, { "question": "Topic 1 A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS Pri vateLink is being used to provide connectivity between the client services and the lo gging service. In each AWS account with a client, an interface end point has been created for the logging service and is available. The logging service running on EC 2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The client s are unable to submit logs using the VPC endpoint. Which combination of steps should a solutions archi tect take to resolve this issue? (Choose two.)", "options": [ "A. Check that the NACL is attached to the logging se rvice subnet to allow communications to", "B. Check that the NACL is attached to the logging se rvice subnets to allow communications", "C. Check the security group for the logging service running on the EC2 instances to ensure it", "D. Check the security group for the logging service running on EC2 instances to ensure it", "A. Create a new S3 bucket that has server-side encry ption with customer-provided keys (SSE-", "B. Create a new S3 bucket that has server-side encry ption with Amazon S3 managed keys", "C. Use AWS CloudHSM to store the encryption keys. Cr eate a new S3 bucket. Use S3 Batch", "D. Use the S3 Intelligent-Tiering storage class for the S3 bucket. Create an S3 Intelligent-" ], "correct": "A. Create a new S3 bucket that has server-side encry ption with customer-provided keys (SSE-", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A media storage application uploads user photos to Amazon S3 for processing by AWS Lambda functions. Application state is stored in Amazon Dy namoDB tables. Users are reporting that some uploaded photos are not being processed properly. T he application developers trace the logs and find that Lambda is experiencing photo processing i ssues when thousands of users upload photos simultaneously. The issues are the result of Lambda concurrency limits and the performance of DynamoDB when data is saved. Which combination of actions should a solutions arc hitect take to increase the performance and reliability of the application? (Choose two.)", "options": [ "A. Evaluate and adjust the RCUs for the DynamoDB tab les.", "B. Evaluate and adjust the WCUs for the DynamoDB tab les.", "C. Add an Amazon ElastiCache layer to increase the p erformance of Lambda functions.", "D. Add an Amazon Simple Queue Service (Amazon SQS) q ueue and reprocessing logic" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (100%)", "references": "" }, { "question": "Topic 1 A company runs an application in an on-premises dat a center. The application gives users the ability to upload media files. The files persist in a file server. The web application has many users. The application server is overutilized, which cause s data uploads to fail occasionally. The company frequently adds new storage to the file ser ver. The company wants to resolve these challenges by migrating the application to AWS. Users from across the United States and Canada acce ss the application. Only authenticated users should have the ability to access the application t o upload files. The company will consider a solution that refactors the application, and the co mpany needs to accelerate application development. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Use AWS Application Migration Service to migrate the application server to Amazon EC2", "B. Use AWS Application Migration Service to migrate the application server to Amazon EC2", "C. Create a static website for uploads of media file s. Store the static assets in Amazon S3.", "D. Use AWS Amplify to create a static website for up loads of media files. Use Amplify" ], "correct": "A. Use AWS Application Migration Service to migrate the application server to Amazon EC2", "explanation": "Explanation/Reference: Community vote distribution D (93%) 7%", "references": "" }, { "question": "Topic 1 A company has an application that is deployed on Am azon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an A uto Scaling group. The application has unpredictable workloads and frequently scales out a nd in. The company's development team wants to analyze application logs to find ways to i mprove the application's performance. However, the logs are no longer available after instances sc ale in. Which solution will give the development team the a bility to view the application logs after a scale- in event?", "options": [ "A. Enable access logs for the ALB. Store the logs in an Amazon S3 bucket.", "B. Configure the EC2 instances to publish logs to Am azon CloudWatch Logs by using the", "C. Modify the Auto Scaling group to use a step scali ng policy.", "D. Instrument the application with AWS X-Ray tracing ." ], "correct": "B. Configure the EC2 instances to publish logs to Am azon CloudWatch Logs by using the", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company runs an unauthenticated static website (w ww.example.com) that includes a registration form for users. The website uses Amazo n S3 for hosting and uses Amazon CloudFront as the content delivery network with AWS WAF config ured. When the registration form is submitted, the website calls an Amazon API Gateway API endpoint that invokes an AWS Lambda function to process the payload and forward the pay load to an external API call. During testing, a solutions architect encounters a cross-origin resource sharing (CORS) error. The solutions architect confirms that the CloudFront di stribution origin has the Access-Control-Allow- Origin header set to www.example.com. What should the solutions architect do to resolve t he error?", "options": [ "A. Change the CORS configuration on the S3 bucket. A dd rules for CORS to the AllowedOrigin", "B. Enable the CORS setting in AWS WAF. Create a web ACL rule in which the Access-Control-", "C. Enable the CORS setting on the API Gateway API en dpoint. Ensure that the API endpoint is", "D. Enable the CORS setting on the Lambda function. E nsure that the return code of the" ], "correct": "B. Enable the CORS setting in AWS WAF. Create a web ACL rule in which the Access-Control-", "explanation": "Explanation/Reference: Community vote distribution C (95%) 5%", "references": "" }, { "question": "Topic 1 A company has many separate AWS accounts and uses n o central billing or management. Each AWS account hosts services for different department s in the company. The company has a Microsoft Azure Active Directory that is deployed. A solutions architect needs to centralize billing a nd management of the company's AWS accounts. The company wants to start using identity federatio n instead of manual user management. The company also wants to use temporary credentials ins tead of long-lived access keys. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Create a new AWS account to serve as a management account. Deploy an organization in", "B. Configure each AWS account's email address to be aws+@example.com so that account", "C. Deploy AWS IAM Identity Center (AWS Single Sign-O n) in the management account.", "D. Deploy an AWS Managed Microsoft AD directory in t he management account. Share the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (100%)", "references": "" }, { "question": "Topic 1 A company wants to manage the costs associated with a group of 20 applications that are infrequently used, but are still business-critical, by migrating to AWS. The applications are a mix of Java and Node.js spread across different instance c lusters. The company wants to minimize costs while standardizing by using a single deployment me thodology. Most of the applications are part of month-end proc essing routines with a small number of concurrent users, but they are occasionally run at other times. Average application memory consumption is less than 1 GB. though some applicat ions use as much as 2.5 GB of memory during peak processing. The most important applicat ion in the group is a billing report written in Java that accesses multiple data sources and often runs for several hours. Which is the MOST cost-effective solution?", "options": [ "A. Deploy a separate AWS Lambda function for each ap plication. Use AWS CloudTrail logs", "B. Deploy Amazon ECS containers on Amazon EC2 with A uto Scaling configured for memory", "C. Deploy AWS Elastic Beanstalk for each application with Auto Scaling to ensure that all", "D. Deploy a new Amazon EC2 instance cluster that co- hosts all applications by using EC2" ], "correct": "B. Deploy Amazon ECS containers on Amazon EC2 with A uto Scaling configured for memory", "explanation": "Explanation/Reference: Community vote distribution B (90%) 10%", "references": "" }, { "question": "Topic 1 A solutions architect needs to review the design of an Amazon EMR cluster that is using the EMR File System (EMRFS). The cluster performs tasks tha t are critical to business needs. The cluster is running Amazon EC2 On-Demand Instances at all times for all task, primary, and core nodes. The EMR tasks run each morning, starting at 1:00 AM. an d take 6 hours to finish running. The amount of time to complete the processing is not a priorit y because the data is not referenced until late in the day. The solutions architect must review the architectur e and suggest a solution to minimize the compute costs. Which solution should the solutions architect recom mend to meet these requirements?", "options": [ "A. Launch all task, primary, and core nodes on Spot Instances in an instance fleet. Terminate", "B. Launch the primary and core nodes on On-Demand In stances. Launch the task nodes on", "C. Continue to launch all nodes on On-Demand Instanc es. Terminate the cluster, including all", "D. Launch the primary and core nodes on On-Demand In stances. Launch the task nodes on" ], "correct": "C. Continue to launch all nodes on On-Demand Instanc es. Terminate the cluster, including all", "explanation": "Explanation/Reference: Community vote distribution D (61%) B (39%)", "references": "" }, { "question": "Topic 1 A company has migrated a legacy application to the AWS Cloud. The application runs on three Amazon EC2 instances that are spread across three A vailability Zones. One EC2 instance is in each Availability Zone. The EC2 instances are runni ng in three private subnets of the VPC and are set up as targets for an Application Load Balancer (ALB) that is associated with three public subnets. The application needs to communicate with on-premis es systems. Only traffic from IP addresses in the company's IP address range are allowed to ac cess the on-premises systems. The company's security team is bringing only one IP address from its internal IP address range to the cloud. The company has added this IP address to the allow list for the company firewall. The company also has created an Elastic IP address for this IP addre ss. A solutions architect needs to create a solution th at gives the application the ability to communicate with the on-premises systems. The solut ion also must be able to mitigate failures automatically. Which solution will meet these requirements?", "options": [ "A. Deploy three NAT gateways, one in each public sub net. Assign the Elastic IP address to the", "B. Replace the ALB with a Network Load Balancer (NLB ). Assign the Elastic IP address to the", "C. Deploy a single NAT gateway in a public subnet. A ssign the Elastic IP address to the NAT", "D. Assign the Elastic IP address to the ALB. Create an Amazon Route 53 simple record with", "A. Call the MoveAccount operation in the Organizatio ns API from the old organization's", "B. From the management account, remove each develope r account from the old organization", "C. From each developer account, remove the account f rom the old organization using the", "D. Sign in to the new developer organization's manag ement account and create a placeholder" ], "correct": "A. Deploy three NAT gateways, one in each public sub net. Assign the Elastic IP address to the", "explanation": "Explanation/Reference: Community vote distribution BEF (87%) 7%", "references": "" }, { "question": "Topic 1 A company's interactive web application uses an Ama zon CloudFront distribution to serve images from an Amazon S3 bucket. Occasionally, third-party tools ingest corrupted images into the S3 bucket. This image corruption causes a poor user ex perience in the application later. The company has successfully implemented and tested Python logi c to detect corrupt images. A solutions architect must recommend a solution to integrate the detection logic with minimal latency between the ingestion and serving. Which solution will meet these requirements?", "options": [ "A. Use a Lambda@Edge function that is invoked by a v iewer-response event.", "B. Use a Lambda@Edge function that is invoked by an origin-response event.", "C. Use an S3 event notification that invokes an AWS Lambda function.", "D. Use an S3 event notification that invokes an AWS Step Functions state machine. \u00b7" ], "correct": "B. Use a Lambda@Edge function that is invoked by an origin-response event.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has an application that runs on Amazon EC 2 instances in an Amazon EC2 Auto Scaling group. The company uses AWS CodePipeline to deploy the application. The instances that run in the Auto Scaling group are constantly changing beca use of scaling events. When the company deploys new application code versi ons, the company installs the AWS CodeDeploy agent on any new target EC2 instances an d associates the instances with the CodeDeploy deployment group. The application is set to go live within the next 24 hours. What should a solutions architect recommend to auto mate the application deployment process with the LEAST amount of operational overhead?", "options": [ "A. Configure Amazon EventBridge to invoke an AWS Lam bda function when a new EC2", "B. Write a script to suspend Amazon EC2 Auto Scaling operations before the deployment of", "C. Create a new AWS CodeBuild project that creates a new AMI that contains the new code.", "D. Create a new AMI that has the CodeDeploy agent in stalled. Configure the Auto Scaling" ], "correct": "D. Create a new AMI that has the CodeDeploy agent in stalled. Configure the Auto Scaling", "explanation": "Explanation/Reference: Community vote distribution D (94%) 6%", "references": "" }, { "question": "Topic 1 A company has a website that runs on four Amazon EC 2 instances that are behind an Application Load Balancer (ALB). When the ALB detects that an E C2 instance is no longer available, an Amazon CloudWatch alarm enters the ALARM state. A m ember of the company's operations team then manually adds a new EC2 instance behind the AL B. A solutions architect needs to design a highly avai lable solution that automatically handles the replacement of EC2 instances. The company needs to minimize downtime during the switch to the new solution. Which set of steps should the solutions architect t ake to meet these requirements?", "options": [ "A. Delete the existing ALB. Create an Auto Scaling g roup that is configured to handle the web", "B. Create an Auto Scaling group that is configured t o handle the web application traffic.", "C. Delete the existing ALB and the EC2 instances. Cr eate an Auto Scaling group that is", "D. Create an Auto Scaling group that is configured t o handle the web application traffic." ], "correct": "C. Delete the existing ALB and the EC2 instances. Cr eate an Auto Scaling group that is", "explanation": "Explanation/Reference: Community vote distribution B (95%) 5%", "references": "" }, { "question": "Topic 1 A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company's organization in AWS O rganizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Reg ion. The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3. The developer activity leads to excessive monthly d ata-transfer charges and NAT gateway processing charges between EC2 instances and S3 buc kets, along with high compute costs. The company wants to proactively enforce approved archi tectural patterns for any EC2 instance and VPC infrastructure that developers deploy within th e AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Create SCPs to prevent developers from launching unapproved EC2 instance types.", "B. Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3", "C. Create an AWS Service Catalog portfolio that user s can use to create an approved VPC", "D. Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources" ], "correct": "C. Create an AWS Service Catalog portfolio that user s can use to create an approved VPC", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is expanding. The company plans to separa te its resources into hundreds of different AWS accounts in multiple AWS Regions. A solutions a rchitect must recommend a solution that denies access to any operations outside of specific ally designated Regions. Which solution will meet these requirements?", "options": [ "A. Create IAM roles for each account. Create IAM pol icies with conditional allow permissions", "B. Create an organization in AWS Organizations. Crea te IAM users for each account. Attach a", "C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access", "D. Enable AWS Security Hub in each account. Create c ontrols to specify the Regions where an" ], "correct": "B. Create an organization in AWS Organizations. Crea te IAM users for each account. Attach a", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company wants to refactor its retail ordering web application that currently has a load-balanced Amazon EC2 instance fleet for web hosting, database API services, and business logic. The company needs to create a decoupled, scalable archi tecture with a mechanism for retaining failed orders while also minimizing operational costs. Which solution will meet these requirements?", "options": [ "A. Use Amazon S3 for web hosting with Amazon API Gat eway for database API services. Use", "B. Use AWS Elastic Beanstalk for web hosting with Am azon API Gateway for database API", "C. Use Amazon S3 for web hosting with AWS AppSync fo r database API services. Use", "D. Use Amazon Lightsail for web hosting with AWS App Sync for database API services. Use" ], "correct": "A. Use Amazon S3 for web hosting with Amazon API Gat eway for database API services. Use", "explanation": "Explanation/Reference: Community vote distribution C (88%) 13%", "references": "" }, { "question": "Topic 1 A company hosts a web application on AWS in the us- east-1 Region. The application servers are distributed across three Availability Zones behind an Application Load Balancer. The database is hosted in a MySQL database on an Amazon EC2 instanc e. A solutions architect needs to design a cross-Region data recovery solution using AWS servi ces with an RTO of less than 5 minutes and an RPO of less than 1 minute. The solutions architect is deploying application servers in us-west-2, and has configured Amazon Route 53 health checks an d DNS failover to us-west-2. Which additional step should the solutions architec t take?", "options": [ "A. Migrate the database to an Amazon RDS for MySQL i nstance with a cross-Region read", "B. Migrate the database to an Amazon Aurora global d atabase with the primary in us-east-1", "C. Migrate the database to an Amazon RDS for MySQL i nstance with a Multi-AZ deployment.", "D. Create a MySQL standby database on an Amazon EC2 instance in us-west-2." ], "correct": "D. Create a MySQL standby database on an Amazon EC2 instance in us-west-2.", "explanation": "Explanation/Reference: Community vote distribution B (93%) 7%", "references": "" }, { "question": "Topic 1 A company is using AWS Organizations to manage mult iple accounts. Due to regulatory requirements, the company wants to restrict specifi c member accounts to certain AWS Regions, where they are permitted to deploy resources. The r esources in the accounts must be tagged, enforced based on a group standard, and centrally m anaged with minimal configuration. What should a solutions architect do to meet these requirements?", "options": [ "A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a", "B. From the AWS Billing and Cost Management console, in the management account, disable", "C. Associate the specific member accounts with the r oot. Apply a tag policy and an SCP using", "D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP" ], "correct": "A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company has an application that generates reports and stores them in an Amazon S3 bucket. When a user accesses their report, the application generates a signed URL to allow the user to download the report. The company's security team ha s discovered that the files are public and that anyone can download them without authentication. Th e company has suspended the generation of new reports until the problem is resolved. Which set of actions will immediately remediate the security issue without impacting the application's normal workflow?", "options": [ "A. Create an AWS Lambda function that applies a deny all policy for users who are not", "B. Review the AWS Trusted Advisor bucket permissions check and implement the", "C. Run a script that puts a private ACL on all of th e objects in the bucket.", "D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcIs option to" ], "correct": "B. Review the AWS Trusted Advisor bucket permissions check and implement the", "explanation": "Explanation/Reference: Community vote distribution D (83%) C (17%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate an Amazon RDS for Oracle database to an RDS for PostgreSQL DB instance in another AWS account. A solutions arc hitect needs to design a migration strategy that will require no downtime and that will minimiz e the amount of time necessary to complete the migration. The migration strategy must replicate al l existing data and any new data that is created during the migration. The target database must be i dentical to the source database at completion of the migration process. All applications currently use an Amazon Route 53 C NAME record as their endpoint for communication with the RDS for Oracle DB instance. The RDS for Oracle DB instance is in a private subnet. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose three.)", "options": [ "A. Create a new RDS for PostgreSQL DB instance in th e target account. Use the AWS Schema", "B. Use the AWS Schema Conversion Tool (AWS SCT) to c reate a new RDS for PostgreSQL DB", "C. Configure VPC peering between the VPCs in the two AWS accounts to provide connectivity", "D. Temporarily allow the source DB instance to be pu blicly accessible to provide connectivity", "A. Increase the backend processing timeout to 30 sec onds to match the visibility timeout.", "B. Reduce the visibility timeout of the queue to aut omatically remove the faulty message.", "C. Configure a new SQS FIFO queue as a dead-letter q ueue to isolate the faulty messages.", "D. Configure a new SQS standard queue as a dead-lett er queue to isolate the faulty" ], "correct": "C. Configure a new SQS FIFO queue as a dead-letter q ueue to isolate the faulty messages.", "explanation": "Explanation/Reference: Community vote distribution D (81%) C (19%)", "references": "" }, { "question": "Topic 1 A company has automated the nightly retraining of i ts machine learning models by using AWS Step Functions. The workflow consists of multiple steps that use AWS Lambda. Each step can fail for various reasons, and any failure causes a failure o f the overall workflow. A review reveals that the retraining has failed mul tiple nights in a row without the company noticing the failure. A solutions architect needs t o improve the workflow so that notifications are sent for all types of failures in the retraining pr ocess. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose three.)", "options": [ "A. Create an Amazon Simple Notification Service (Ama zon SNS) topic with a subscription of", "B. Create a task named \"Email\" that forwards the inp ut arguments to the SNS topic.", "C. Add a Catch field to all Task, Map, and Parallel states that have a statement of", "D. Add a new email address to Amazon Simple Email Se rvice (Amazon SES). Verify the email" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABC (86%) 5%", "references": "" }, { "question": "Topic 1 A company plans to deploy a new private intranet se rvice on Amazon EC2 instances inside a VPC. An AWS Site-to-Site VPN connects the VPC to the com pany's on-premises network. The new service must communicate with existing on-premises services. The on-premises services are accessible through the use of hostnames that reside in the company.example DNS zone. This DNS zone is wholly hosted on premises and is available only on the company's private network. A solutions architect must ensure that the new serv ice can resolve hostnames on the company.example domain to integrate with existing s ervices. Which solution meets these requirements?", "options": [ "A. Create an empty private zone in Amazon Route 53 f or company.example. Add an additional", "B. Turn on DNS hostnames for the VPC. Configure a ne w outbound endpoint with Amazon", "C. Turn on DNS hostnames for the VPConfigure a new i nbound resolver endpoint with", "D. Use AWS Systems Manager to configure a run docume nt that will install a hosts file that" ], "correct": "A. Create an empty private zone in Amazon Route 53 f or company.example. Add an additional", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company uses AWS CloudFormation to deploy applica tions within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. T he transit gateway uses its default route table for any VPC attachment. A security audit reveals that an Amazon EC2 instanc e that is deployed within a VPC can communicate with an EC2 instance that is deployed i n any of the company's other VPCs. A solutions architect needs to limit the traffic betw een the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Update the network ACL of each subnet within a VP C to allow outbound traffic only to the", "B. Update all the security groups that are used with in a VPC to deny outbound traffic to", "C. Create a dedicated transit gateway route table fo r each VPC attachment. Route traffic only", "D. Update the main route table of each VPC to route traffic only to the authorized VPCs" ], "correct": "C. Create a dedicated transit gateway route table fo r each VPC attachment. Route traffic only", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has a Windows-based desktop application t hat is packaged and deployed to the users' Windows machines. The company recently acquired ano ther company that has employees who primarily use machines with a Linux operating syste m. The acquiring company has decided to migrate and rehost the Windows-based desktop applic ation to AWS. All employees must be authenticated before they use the application. The acquiring company uses Active Directory on premises but wants a simplified way to manage access to the application on AWS for all the employees. Which solution will rehost the application on AWS w ith the LEAST development effort?", "options": [ "A. Set up and provision an Amazon Workspaces virtual desktop for every employee.", "B. Create an Auto Scaling group of Windows-based Ama zon EC2 instances. Join each EC2", "C. Use an Amazon AppStream 2.0 image builder to crea te an image that includes the", "D. Refactor and containerize the application to run as a web-based application. Run the \u00b7" ], "correct": "D. Refactor and containerize the application to run as a web-based application. Run the \u00b7", "explanation": "Explanation/Reference: Community vote distribution C (93%) 7%", "references": "" }, { "question": "Topic 1 A company is collecting a large amount of data from a fleet of IoT devices. Data is stored as Optimized Row Columnar (ORC) files in the Hadoop Di stributed File System (HDFS) on a persistent Amazon EMR cluster. The company's data analytics te am queries the data by using SQL in Apache Presto deployed on the same EMR cluster. Queries sc an large amounts of data, always run for less than 15 minutes, and run only between 5 PM and 10 P M. The company is concerned about the high cost associ ated with the current solution. A solutions architect must propose the most cost-effective solu tion that will allow SQL data queries. Which solution will meet these requirements?", "options": [ "A. Store data in Amazon S3. Use Amazon Redshift Spec trum to query data.", "B. Store data in Amazon S3. Use the AWS Glue Data Ca talog and Amazon Athena to query", "C. Store data in EMR File System (EMRFS). Use Presto in Amazon EMR to query data.", "D. Store data in Amazon Redshift. Use Amazon Redshif t to query data." ], "correct": "D. Store data in Amazon Redshift. Use Amazon Redshif t to query data.", "explanation": "Explanation/Reference: Community vote distribution B (94%) 6%", "references": "" }, { "question": "Topic 1 A large company recently experienced an unexpected increase in Amazon RDS and Amazon DynamoDB costs. The company needs to increase visib ility into details of AWS Billing and Cost Management. There are various accounts associated w ith AWS Organizations, including many development and production accounts. There is no co nsistent tagging strategy across the organization, but there are guidelines in place tha t require all infrastructure to be deployed using AWS CloudFormation with consistent tagging. Managem ent requires cost center numbers and project ID numbers for all existing and future Dyna moDB tables and RDS instances. Which strategy should the solutions architect provi de to meet these requirements? A. Use Tag Editor to tag existing resources. Create cost allocation tags to define the cost \u00b7 center and project ID and allow 24 hours for tags t o propagate to existing resources.", "options": [ "B. Use an AWS Config rule to alert the finance team of untagged resources. Create a", "C. Use Tag Editor to tag existing resources. Create cost allocation tags to define the cost", "D. Create cost allocation tags to define the cost ce nter and project ID and allow 24 hours for" ], "correct": "B. Use an AWS Config rule to alert the finance team of untagged resources. Create a", "explanation": "Explanation/Reference: Community vote distribution C (89%) 11%", "references": "" }, { "question": "Topic 1 A company wants to send data from its on-premises s ystems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS. Which combination of steps should a solutions archi tect take to meet these requirements? (Choose two.)", "options": [ "A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking", "B. Establish a networking account in the AWS Cloud. Create a private VPC in the networking", "C. Create an Amazon S3 interface endpoint in the net working account.", "D. Create an Amazon S3 gateway endpoint in the netwo rking account." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (79%) 10% 7%", "references": "" }, { "question": "Topic 1 A company operates quick-service restaurants. The r estaurants follow a predictable model with high sales traffic for 4 hours daily. Sales traffic is lower outside of those peak hours. The point of sale and management platform is deploy ed in the AWS Cloud and has a backend that is based on Amazon DynamoDB. The database table use s provisioned throughput mode with 100,000 RCUs and 80,000 WCUs to match known peak re source consumption. The company wants to reduce its DynamoDB cost and m inimize the operational overhead for the IT staff. Which solution meets these requirements MOST cost-e ffectively?", "options": [ "A. Reduce the provisioned RCUs and WCUs.", "B. Change the DynamoDB table to use on-demand capaci ty.", "C. Enable Dynamo DB auto scaling for the table.", "D. Purchase 1-year reserved capacity that is suffici ent to cover the peak load for 4 hours each" ], "correct": "A. Reduce the provisioned RCUs and WCUs.", "explanation": "Explanation/Reference: Community vote distribution C (67%) B (19%) D (15%)", "references": "" }, { "question": "Topic 1 A company hosts a blog post application on AWS usin g Amazon API Gateway, Amazon DynamoDB, and AWS Lambda. The application currently does not use API keys to authorize requests. The API model is as follows: GET /posts/{postId}: to get post details GET /users/{userId}: to get user details GET /comments/{commentId}: to get comments details The company has noticed users are actively discussi ng topics in the comments section, and the company wants to increase user engagement by making the comments appear in real time. Which design should be used to reduce comment laten cy and improve user experience?", "options": [ "A. Use edge-optimized API with Amazon CloudFront to cache API responses.", "B. Modify the blog application code to request GET/c omments/{commentId} every 10", "D. Change the concurrency limit of the Lambda functi ons to lower the API response time." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company manages hundreds of AWS accounts centrall y in an organization in AWS Organizations. The company recently started to allo w product teams to create and manage their own S3 access points in their accounts. The S3 acce ss points can be accessed only within VPCs, not on the internet. What is the MOST operationally efficient way to enf orce this requirement?", "options": [ "A. Set the S3 access point resource policy to deny t he s3:CreateAccessPoint action unless", "B. Create an SCP at the root level in the organizati on to deny the s3:CreateAccessPoint action", "C. Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that", "D. Set the S3 bucket policy to deny the s3:CreateAcc essPoint action unless the" ], "correct": "A. Set the S3 access point resource policy to deny t he s3:CreateAccessPoint action unless", "explanation": "Explanation/Reference: Community vote distribution B (95%) 5%", "references": "" }, { "question": "Topic 1 A solutions architect must update an application en vironment within AWS Elastic Beanstalk using a blue/green deployment methodology. The solutions architect creates an environment that is identical to the existing application environment a nd deploys the application to the new environment. What should be done next to complete the update?", "options": [ "A. Redirect to the new environment using Amazon Rout e 53.", "B. Select the Swap Environment URLs option.", "D. Update the DNS records to point to the green envi ronment." ], "correct": "A. Redirect to the new environment using Amazon Rout e 53.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is building an image service on the web t hat will allow users to upload and search random photos. At peak usage, up to 10,000 users wo rldwide will upload their images. The will then overlay text on the uploaded images, which wil l then be published on the company website. Which design should a solutions architect implement ?", "options": [ "A. Store the uploaded images in Amazon Elastic File System (Amazon EFS). Send application", "B. Store the uploaded images in an Amazon S3 bucket and configure an S3 bucket event", "C. Store the uploaded images in an Amazon S3 bucket and configure an S3 bucket event", "D. Store the uploaded images on a shared Amazon Elas tic Block Store (Amazon EBS) volume", "A. Create an Amazon Aurora MySQL replica of the RDS for MySQL DB instance. Pause", "B. Add a cross-Region replica in eu-west-1 for the R DS for MySQL DB instance. Configure the", "C. Copy the most recent snapshot from the RDS for My SQL DB instance to eu-west-1. Create a", "D. Convert the RDS for MySQL DB instance to an Amazo n Aurora MySQL DB cluster. Add eu-" ], "correct": "B. Add a cross-Region replica in eu-west-1 for the R DS for MySQL DB instance. Configure the", "explanation": "Explanation/Reference: Community vote distribution A (72%) D (28%)", "references": "" }, { "question": "Topic 1 A company is serving files to its customers through an SFTP server that is accessible over the internet. The SFTP server is running on a single Am azon EC2 instance with an Elastic IP address attached. Customers connect to the SFTP server thro ugh its Elastic IP address and use SSH for authentication. The EC2 instance also has an attach ed security group that allows access from all customer IP addresses. A solutions architect must implement a solution to improve availability, minimize the complexity of infrastructure management, and minimize the disrupt ion to customers who access files. The solution must not change the way customers connect. Which solution will meet these requirements?", "options": [ "A. Disassociate the Elastic IP address from the EC2 instance. Create an Amazon S3 bucket to", "B. Disassociate the Elastic IP address from the EC2 instance. Create an Amazon S3 bucket to", "C. Disassociate the Elastic IP address from the EC2 instance. Create a new Amazon Elastic", "D. Disassociate the Elastic IP address from the EC2 instance. Create a multi-attach Amazon" ], "correct": "C. Disassociate the Elastic IP address from the EC2 instance. Create a new Amazon Elastic", "explanation": "Explanation/Reference: Community vote distribution B (89%) 11%", "references": "" }, { "question": "Topic 1 A company ingests and processes streaming market da ta. The data rate is constant. A nightly process that calculates aggregate statistics takes 4 hours to complete. The statistical analysis is not critical to the business, and data points are p rocessed during the next iteration if a particular run fails. The current architecture uses a pool of Amazon EC2 Reserved Instances with 1-year reservations. These EC2 instances run full time to ingest and sto re the streaming data in attached Amazon Elastic Block Store (Amazon EBS) volumes. A schedul ed script launches EC2 On-Demand Instances each night to perform the nightly process ing. The instances access the stored data from NFS shares on the ingestion servers. The script ter minates the instances when the processing is complete. The Reserved Instance reservations are expiring. Th e company needs to determine whether to purchase new reservations or implement a new design . Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Update the ingestion process to use Amazon Kinesi s Data Firehose to save data to \u00b7", "B. Update the ingestion process to use Amazon Kinesi s Data Firehose to save data to", "C. Update the ingestion process to use a fleet of EC 2 Reserved Instances with 3-year", "D. Update the ingestion process to use Amazon Kinesi s Data Firehose to save data to" ], "correct": "A. Update the ingestion process to use Amazon Kinesi s Data Firehose to save data to \u00b7", "explanation": "Explanation/Reference: Community vote distribution B (95%) 5%", "references": "" }, { "question": "Topic 1 A company needs to migrate an on-premises SFTP site to AWS. The SFTP site currently runs on a Linux VM. Uploaded files are made available to down stream applications through an NFS share. As part of the migration to AWS, a solutions archit ect must implement high availability. The solution must provide external vendors with a set o f static public IP addresses that the vendors can allow. The company has set up an AWS Direct Con nect connection between its on-premises data center and its VPC. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an AWS Transfer Family server. Configure a n internet-facing VPC endpoint for the", "B. Create an AWS Transfer Family server. Configure a publicly accessible endpoint for the", "C. Use AWS Application Migration Service to migrate the existing Linux VM to an Amazon EC2", "D. Use AWS Application Migration Service to migrate the existing Linux VM to an AWS" ], "correct": "B. Create an AWS Transfer Family server. Configure a publicly accessible endpoint for the", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A solutions architect has an operational workload d eployed on Amazon EC2 instances in an Auto Scaling group. The VPC architecture spans two Avail ability Zones (AZ) with a subnet in each that the Auto Scaling group is targeting. The VPC is con nected to an on-premises environment and connectivity cannot be interrupted. The maximum siz e of the Auto Scaling group is 20 instances in service. The VPC IPv4 addressing is as follows: VPC CIDR: 10.0.0.0/23 - AZ1 subnet CIDR: 10.0.0.0/24 - AZ2 subnet CIDR: 10.0.1.0/24 - Since deployment, a third AZ has become available i n the Region. The solutions architect wants to adopt the new AZ without adding additional IPv4 add ress space and without service downtime. Which solution will meet these requirements?", "options": [ "A. Update the Auto Scaling group to use the AZ2 subn et only. Delete and re-create the AZ1", "B. Terminate the EC2 instances in the AZ1 subnet. De lete and re-create the AZ1 subnet using", "C. Create a new VPC with the same IPv4 address space and define three subnets, with one for", "D. Update the Auto Scaling group to use the AZ2 subn et only. Update the AZ1 subnet to have" ], "correct": "D. Update the Auto Scaling group to use the AZ2 subn et only. Update the AZ1 subnet to have", "explanation": "Explanation/Reference: Community vote distribution A (92%) 8%", "references": "" }, { "question": "Topic 1 A company uses an organization in AWS Organizations to manage the company's AWS accounts. The company uses AWS CloudFormation to deploy all i nfrastructure. A finance team wants to build a chargeback model. The finance team asked each bus iness unit to tag resources by using a predefined list of project values. When the finance team used the AWS Cost and Usage R eport in AWS Cost Explorer and filtered based on project, the team noticed noncompliant pro ject values. The company wants to enforce the use of project tags for new resources. Which solution will meet these requirements with th e LEAST effort?", "options": [ "A. Create a tag policy that contains the allowed pro ject tag values in the organization's", "B. Create a tag policy that contains the allowed pro ject tag values in each OU. Create an SCP", "C. Create a tag policy that contains the allowed pro ject tag values in the AWS management", "D. Use AWS Service Catalog to manage the CloudFormat ion stacks as products. Use a" ], "correct": "C. Create a tag policy that contains the allowed pro ject tag values in the AWS management", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 An application is deployed on Amazon EC2 instances that run in an Auto Scaling group. The Auto Scaling group configuration uses only one type of i nstance. CPU and memory utilization metrics show that the in stances are underutilized. A solutions architect needs to implement a solution to permanen tly reduce the EC2 cost and increase the utilization. Which solution will meet these requirements with th e LEAST number of configuration changes in the future?", "options": [ "A. List instance types that have properties that are similar to the properties that the current \u00b7", "B. Use the information about the application's CPU a nd memory utilization to select an", "C. Use the information about the application's CPU a nd memory utilization to specify CPU and", "D. Create a script that selects the appropriate inst ance types from the AWS Price List Bulk" ], "correct": "B. Use the information about the application's CPU a nd memory utilization to select an", "explanation": "Explanation/Reference: Community vote distribution C (63%) B (37%)", "references": "" }, { "question": "Topic 1 A company implements a containerized application by using Amazon Elastic Container Service (Amazon ECS) and Amazon API Gateway The application data is stored in Amazon Aurora databases and Amazon DynamoDB databases. The compan y automates infrastructure provisioning by using AWS CloudFormation. The compa ny automates application deployment by using AWS CodePipeline. A solutions architect needs to implement a disaster recovery (DR) strategy that meets an RPO of 2 hours and an RTO of 4 hours. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Set up an Aurora global database and DynamoDB glo bal tables to replicate the databases", "B. Use AWS Database Migration Service (AWS DMS), Ama zon EventBridge, and AWS Lambda", "C. Use AWS Backup to create backups of the Aurora da tabases and the DynamoDB databases", "D. Set up an Aurora global database and DynamoDB glo bal tables to replicate the databases" ], "correct": "A. Set up an Aurora global database and DynamoDB glo bal tables to replicate the databases", "explanation": "Explanation/Reference: Community vote distribution C (58%) D (37%) 5%", "references": "" }, { "question": "Topic 1 A company has a complex web application that levera ges Amazon CloudFront for global scalability and performance. Over time, users report that the w eb application is slowing down. The company's operations team reports that the Clou dFront cache hit ratio has been dropping steadily. The cache metrics report indicates that q uery strings on some URLs are inconsistently ordered and are specified sometimes in mixed-case l etters and sometimes in lowercase letters. Which set of actions should the solutions architect take to increase the cache hit ratio as quickly as possible?", "options": [ "A. Deploy a Lambda@Edge function to sort parameters by name and force them to be", "B. Update the CloudFront distribution to disable cac hing based on query string parameters.", "C. Deploy a reverse proxy after the load balancer to post-process the emitted URLs in the", "D. Update the CloudFront distribution to specify cas ing-insensitive query string processing." ], "correct": "A. Deploy a Lambda@Edge function to sort parameters by name and force them to be", "explanation": "Explanation/Reference: Community vote distribution A (91%) 9%", "references": "" }, { "question": "Topic 1 A company runs an ecommerce application in a single AWS Region. The application uses a five- node Amazon Aurora MySQL DB cluster to store inform ation about customers and their recent orders. The DB cluster experiences a large number o f write transactions throughout the day. The company needs to replicate the data in the Auro ra database to another Region to meet disaster recovery requirements. The company has an RPO of 1 hour. Which solution will meet these requirements with th e LOWEST cost?", "options": [ "A. Modify the Aurora database to be an Aurora global database. Create a second Aurora", "B. Enable the Backtrack feature for the Aurora datab ase. Create an AWS Lambda function", "C. Use AWS Database Migration Service (AWS DMS). Cre ate a DMS change data capture", "D. Turn off automated Aurora backups. Configure Auro ra backups with a backup frequency of" ], "correct": "C. Use AWS Database Migration Service (AWS DMS). Cre ate a DMS change data capture", "explanation": "Explanation/Reference: Community vote distribution C (69%) A (25%) 7%", "references": "" }, { "question": "Topic 1 A company's solutions architect is evaluating an AW S workload that was deployed several years ago. The application tier is stateless and runs on a single large Amazon EC2 instance that was launched from an AMI. The application stores data i n a MySQL database that runs on a single EC2 instance. The CPU utilization on the application server EC2 i nstance often reaches 100% and causes the application to stop responding. The company manuall y installs patches on the instances. Patching has caused downtime in the past. The company needs to make the application highly available. Which solution will meet these requirements with th e LEAST development me?", "options": [ "A. Move the application tier to AWS Lambda functions in the existing VPC. Create an", "B. Change the EC2 instance type to a smaller Gravito n powered instance type. Use the", "C. Move the application tier to containers by using Docker. Run the containers on Amazon", "D. Create a now AMI that is configured with AWS Syst ems Manager Agent (SSM Agent). Use" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate several applicatio ns to AWS. The company does not have a good understanding of its entire application estate. The estate consists of a mixture of physical machines and VMs. One application that the company will migrate has m any dependencies that are sensitive to latency. The company is unsure what all the depende ncies are. However the company knows that the low-latency communications use a custom IP-base d protocol that runs on port 1000. The company wants to migrate the application and these dependencies together to move all the low- latency interfaces to AWS at the same time. The company has installed the AWS Application Disco very Agent and has been collecting data for several months. What should the company do to identify the dependen cies that need to be migrated in the same phase as the application?", "options": [ "A. Use AWS Migration Hub and select the servers that host the application. Visualize the", "B. Use AWS Application Migration Service and select the servers that host the application.", "C. Use AWS Migration Hub and select the servers that host the application. Turn on data", "D. Use AWS Migration Hub and select the servers that host the application. Push the Amazon" ], "correct": "A. Use AWS Migration Hub and select the servers that host the application. Visualize the", "explanation": "Explanation/Reference: Community vote distribution A (95%) 5%", "references": "" }, { "question": "Topic 1 A company is building an application that will run on an AWS Lambda function. Hundreds of customers will use the application. The company wan ts to give each customer a quota of requests for a specific time period. The quotas must match c ustomer usage patterns. Some customers must receive a higher quota for a shorter time peri od. Which solution will meet these requirements?", "options": [ "A. Create an Amazon API Gateway REST API with a prox y integration to invoke the Lambda", "B. Create an Amazon API Gateway HTTP API with a prox y integration to invoke the Lambda", "C. Create a Lambda function alias for each customer. Include a concurrency limit with an", "D. Create an Application Load Balancer (ALB) in a VP C. Configure the Lambda function as a" ], "correct": "A. Create an Amazon API Gateway REST API with a prox y integration to invoke the Lambda", "explanation": "Explanation/Reference: Community vote distribution A (88%) 12%", "references": "" }, { "question": "Topic 1 A company is planning to migrate its on-premises VM ware cluster of 120 VMs to AWS. The VMs have many different operating systems and many cust om software packages installed. The company also has an on-premises NFS server that is 10 TB in size. The company has set up a 10 Gbps AWS Direct Connect connection to AWS for the m igration. Which solution will complete the migration to AWS i n the LEAST amount of time?", "options": [ "A. Export the on-premises VMs and copy them to an Am azon S3 bucket. Use VM", "B. Configure AWS Application Migration Service with a connection to the VMware cluster.", "D. Order two AWS Snowball Edge devices. Copy the VMs and the NFS server data to the" ], "correct": "B. Configure AWS Application Migration Service with a connection to the VMware cluster.", "explanation": "Explanation/Reference: Community vote distribution B (92%) 8%", "references": "" }, { "question": "Topic 1 An online survey company runs its application in th e AWS Cloud. The application is distributed and consists of microservices that run in an automatica lly scaled Amazon Elastic Container Service (Amazon ECS) cluster. The ECS cluster is a target f or an Application Load Balancer (ALB). The ALB is a custom origin for an Amazon CloudFront distrib ution. The company has a survey that contains sensitive da ta. The sensitive data must be encrypted when it moves through the application. The applicat ion's data-handling microservice is the only microservice that should be able to decrypt the dat a Which solution will meet these requirements?", "options": [ "A. Create a symmetric AWS Key Management Service (AW S KMS) key that is dedicated to the", "B. Create an RSA key pair that is dedicated to the d ata-handing microservice. Upload the", "C. Create a symmetric AWS Key Management Service (AW S KMS) key that is dedicated to the", "D. Create an RSA key pair that is dedicated to the d ata-handling microservice. Create a", "A. Create a private hosted zone. Activate the enable DnsSupport attribute and the", "B. Create a private hosted zone Associate the privat e hosted zone with the VPC. Activate the", "C. Deactivate the enableDnsSupport attribute for the VPActivate the enableDnsHostnames", "D. Create a private hosted zone. Associate the priva te hosted zone with the VPC. Activate the" ], "correct": "B. Create a private hosted zone Associate the privat e hosted zone with the VPC. Activate the", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A data analytics company has an Amazon Redshift clu ster that consists of several reserved nodes. The cluster is experiencing unexpected bursts of us age because a team of employees is compiling a deep audit analysis report. The queries to genera te the report are complex read queries and are CPU intensive. Business requirements dictate that the cluster must be able to service read and write queries at all times. A solutions architect must devise a solution that accommodates the bursts of usage. Which solution meets these requirements MOST cost-e ffectively?", "options": [ "A. Provision an Amazon EMR cluster Offload the compl ex data processing tasks.", "B. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster by using a", "C. Deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster by using", "D. Turn on the Concurrency Scaling feature for the A mazon Redshift cluster. \u00b7" ], "correct": "D. Turn on the Concurrency Scaling feature for the A mazon Redshift cluster. \u00b7", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scienti sts are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group. The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obli gation to report on which scientist accesses which documents. The team that is responsible for t hese reports has little AWS experience and wants a ready-to-use solution that minimizes operat ional overhead. Which combination of actions should a solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Create an identity policy that grants the user re ad and write access. Add a condition that", "B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket.", "C. Enable S3 server access logging. Configure anothe r S3 bucket as the target for log", "D. Create an S3 bucket policy that grants read and w rite access to users in the scientists' IAM" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AB (71%) AC (18%) 12%", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations to manage a multi- account structure. The company has hundreds of AWS accounts and expects the number of accounts to increase. The company is building a new application that uses Docker images. The company will push the Docker images to Amazon Elastic Container Registry (Amazon ECR). Onl y accounts that are within the company's organization should have access to the images. The company has a CI/CD process that runs frequentl y. The company wants to retain all the tagged images. However, the company wants to retain only the five most recent untagged images. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create a private repository in Amazon ECR. Create a permissions policy for the repository", "B. Create a public repository in Amazon ECR. Create an IAM role in the ECR account. Set", "C. Create a private repository in Amazon ECR. Create a permissions policy for the repository", "D. Create a public repository in Amazon ECR. Configu re Amazon ECR to use an interface VPC" ], "correct": "A. Create a private repository in Amazon ECR. Create a permissions policy for the repository", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A solutions architect is reviewing a company's proc ess for taking snapshots of Amazon RDS DB instances. The company takes automatic snapshots ev ery day and retains the snapshots for 7 days. The solutions architect needs to recommend a soluti on that takes snapshots every 6 hours and retains the snapshots for 30 days. The company uses AWS Organizations to manage all of its AWS accounts. The company needs a consolidated view of the health of the RDS snapshots. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Turn on the cross-account management feature in A WS Backup. Create a backup plan that", "B. Turn on the cross-account management feature in A mazon RDS. Create a snapshot global", "C. Turn on the cross-account management feature in A WS CloudFormation. From the", "D. Configure AWS Backup in each account. Create an A mazon Data Lifecycle Manager" ], "correct": "A. Turn on the cross-account management feature in A WS Backup. Create a backup plan that", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is using AWS Organizations with a multi-a ccount architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and sessio n policies. A solutions architect needs to allow an IAM user in Account A to assume a role in Account B. Which combination of steps must the solutions archi tect take to meet this requirement? (Choose three.)", "options": [ "A. Configure the SCP for Account A to allow the acti on.", "B. Configure the resource-based policies to allow th e action.", "C. Configure the identity-based policy on the user i n Account A to allow the action.", "D. Configure the identity-based policy on the user i n Account B to allow the action.", "A. Deploy an AWS Storage Gateway file gateway that i s associated with an S3 bucket. Move", "B. Deploy an AWS Storage Gateway volume gateway that is associated with an S3 bucket.", "C. Deploy an AWS Storage Gateway tape gateway that i s associated with an S3 bucket. Move", "D. Deploy an AWS Storage Gateway file gateway that i s associated with an S3 bucket. Move" ], "correct": "D. Deploy an AWS Storage Gateway file gateway that i s associated with an S3 bucket. Move", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company runs its application on Amazon EC2 instan ces and AWS Lambda functions. The EC2 instances experience a continuous and stable load. The Lambda functions experience a varied and unpredictable load. The application includes a cach ing layer that uses an Amazon MemoryDB for Redis cluster. A solutions architect must recommend a solution to minimize the company's overall monthly costs. Which solution will meet these requirements?", "options": [ "A. Purchase an EC2 instance Savings Plan to cover th e EC2 instances. Purchase a Compute", "B. Purchase a Compute Savings Plan to cover the EC2 instances. Purchase Lambda reserved", "C. Purchase a Compute Savings Plan to cover the enti re expected cost of the EC2 instances," ], "correct": "C. Purchase a Compute Savings Plan to cover the enti re expected cost of the EC2 instances,", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A company is launching a new online game on Amazon EC2 instances. The game must be available globally. The company plans to run the ga me in three AWS Regions us-east-1, eu-west-1, and ap-southeast-1. The game's leaderboards, player inventory and event status must be available across Regions. A solutions architect must design a solution that w ill give any Region the ability to scale to handle the load of all Regions. Additionally, users must a utomatically connect to the Region that provides the least latency. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an EC2 Spot Fleet. Attach the Spot Fleet t o a Network Load Balancer (NLB) in each", "B. Create an Auto Scaling group for the EC2 instance s Attach the Auto Scaling group to a", "C. Create an Auto Scaling group for the EC2 instance s. Attach the Auto Scaling group to a", "D. Use EC2 Global View. Deploy the EC2 instances to each Region. Attach the instances to a" ], "correct": "C. Create an Auto Scaling group for the EC2 instance s. Attach the Auto Scaling group to a", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "A company is deploying a third-party firewall appli ance solution from AWS Marketplace to monitor and protect traffic that leaves the company's AWS e nvironments. The company wants to deploy this appliance into a shared services VPC and route all outbound internet-bound traffic through the appliances. A solutions architect needs to recommend a deployme nt method that prioritizes reliability and minimizes failover time between firewall appliances within a single AWS Region. The company has set up routing from the shared services VPC to othe r VPCs. Which steps should the solutions architect recommen d to meet these requirements? (Choose three.)", "options": [ "A. Deploy two firewall appliances into the shared se rvices VPC, each in a separate Availability", "B. Create a new Network Load Balancer in the shared services VPC. Create a new target", "C. Create a new Gateway Load Balancer in the shared services VPCreate a new target group,", "D. Create a VPC interface endpoint. Add a route to t he route table in the shared services VPC." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (86%) 9%", "references": "" }, { "question": "Topic 1 A solutions architect needs to migrate an on-premis es legacy application to AWS. The application runs on two servers behind a load balancer. The app lication requires a license file that is associated with the MAC address of the server's net work adapter It takes the software vendor 12 hours to send new license files. The application al so uses configuration files with a static IP address to access a database server, host names are not supported. Given these requirements, which combination of step s should be taken to implement highly available architecture for the application servers in AWS? (Choose two.)", "options": [ "A. Create a pool of ENIs. Request license files from the vendor for the pool, and store the", "B. Create a pool of ENIs. Request license files from the vendor for the pool, store the license", "C. Create a bootstrap automation script to request a new license file from the vendor .When", "D. Edit the bootstrap automation script to read the database server IP address from the AWS" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (100%)", "references": "" }, { "question": "Topic 1 A company runs its sales reporting application in a n AWS Region in the United States. The application uses an Amazon API Gateway Regional API and AWS Lambda functions to generate on- demand reports from data in an Amazon RDS for MySQL database. The frontend of the application is hosted on Amazon S3 and is accessed by users thr ough an Amazon CloudFront distribution. The company is using Amazon Route 53 as the DNS service for the domain. Route 53 is configured with a simple routing policy to route traffic to the API Gateway API. In the next 6 months, the company plans to expand o perations to Europe. More than 90% of the database traffic is read-only traffic. The company has already deployed an API Gateway API and Lambda functions in the new Region. A solutions architect must design a solution that m inimizes latency for users who download reports. Which solution will meet these requirements?", "options": [ "A. Use an AWS Database Migration Service (AWS DMS) t ask with full load to replicate the", "B. Use an AWS Database Migration Service (AWS DMS) t ask with full load plus change data", "C. Configure a cross-Region read replica for the RDS database in the new Region Change the", "D. Configure a cross-Region read replica for the RDS database in the new Region. Change the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (96%) 4%", "references": "" }, { "question": "Topic 1 A software company needs to create short-lived test environments to test pull requests as part of its development process. Each test environment cons ists of a single Amazon EC2 instance that is in an Auto Scaling group. The test environments must be able to communicate w ith a central server to report test results. The central server is located in an on-premises dat a center. A solutions architect must implement a solution so that the company can create and delet e test environments without any manual intervention. The company has created a transit gat eway with a VPN attachment to the on- premises network. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an AWS CloudFormation template that contai ns a transit gateway attachment and", "B. Create a single VPC for the test environments. In clude a transit gateway attachment and", "C. Create a new OU in AWS Organizations for testing. Create an AWS CioudFormation", "D. Convert the test environment EC2 instances into D ocker images. Use AWS CloudFormation" ], "correct": "B. Create a single VPC for the test environments. In clude a transit gateway attachment and", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is deploying a new API to AWS. The API us es Amazon API Gateway with a Regional API endpoint and an AWS Lambda function for hosting. Th e API retrieves data from an external vendor API, stores data in an Amazon DynamoDB global table , and retrieves data from the DynamoDB global table The API key for the vendor's API is st ored in AWS Secrets Manager and is encrypted with a customer managed key in AWS Key Management S ervice (AWS KMS). The company has deployed its own API into a single AWS Region. A solutions architect needs to change the API compo nents of the company's API to ensure that the components can run across multiple Regions in an ac tive-active configuration. Which combination of changes will meet this require ment with the LEAST operational overhead? (Choose three.)", "options": [ "A. Deploy the API to multiple Regions. Configure Ama zon Route 53 with custom domain", "B. Create a new KMS multi-Region customer managed ke y. Create a new KMS customer", "C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region's", "D. Create a new AWS managed KMS key in each in-scope Region. Convert an existing key to a" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABC (77%) BCF (23%)", "references": "" }, { "question": "Topic 1 An online retail company hosts its stateful web-bas ed application and MySQL database in an on- premises data center on a single server. The compan y wants to increase its customer base by conducting more marketing campaigns and promotions. In preparation, the company wants to migrate its application and database to AWS to incr ease the reliability of its architecture. Which solution should provide the HIGHEST level of reliability?", "options": [ "A. Migrate the database to an Amazon RDS MySQL Multi -AZ DB instance. Deploy the", "B. Migrate the database to Amazon Aurora MySQL. Depl oy the application in an Auto Scaling", "C. Migrate the database to Amazon DocumentDB (with M ongoDB compatibility). Deploy the" ], "correct": "B. Migrate the database to Amazon Aurora MySQL. Depl oy the application in an Auto Scaling", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company's solutions architect needs to provide se cure Remote Desktop connectivity to users for Amazon EC2 Windows instances that are hosted in a V PC. The solution must integrate centralized user management with the company's on-premises Acti ve Directory. Connectivity to the VPC is through the internet. The company has hardware that can be used to establish an AWS Site-to-Site VPN connection. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Deploy a managed Active Directory by using AWS Di rectory Service for Microsoft Active", "B. Configure AWS IAM Identity Center (AWS Single Sig n-On) to integrate with the on-premises", "C. Implement a VPN between the on-premises environme nt and the target VPEnsure that the", "D. Deploy a managed Active Directory by using AWS Di rectory Service for Microsoft Active" ], "correct": "C. Implement a VPN between the on-premises environme nt and the target VPEnsure that the", "explanation": "Explanation/Reference: Community vote distribution B (57%) C (38%) 5%", "references": "" }, { "question": "Topic 1 A company's compliance audit reveals that some Amaz on Elastic Block Store (Amazon EBS) volumes that were created in an AWS account were no t encrypted. A solutions architect must implement a solution to encrypt all new EBS volumes at rest. Which solution will meet this requirement with the LEAST effort?", "options": [ "A. Create an Amazon EventBridge rule to detect the c reation of unencrypted EBS volumes.", "B. Use AWS Audit Manager with data encryption.", "C. Create an AWS Config rule to detect the creation of a new EBS volume. Encrypt the volume", "D. Turn on EBS encryption by default in all AWS Regi ons." ], "correct": "D. Turn on EBS encryption by default in all AWS Regi ons.", "explanation": "Explanation/Reference: Community vote distribution D (81%) C (19%)", "references": "" }, { "question": "Topic 1 A research company is running daily simulations in the AWS Cloud to meet high demand. The simulations run on several hundred Amazon EC2 insta nces that are based on Amazon Linux 2. Occasionally, a simulation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SS H. Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail. How can a solutions architect meet these requiremen ts?", "options": [ "A. Launch new EC2 instances, and generate an individ ual SSH key for each instance. Store", "B. Create an AWS Systems Manager document to run com mands on EC2 instances to set a", "C. Launch new EC2 instances without setting up any S SH key for the instances. Set up EC2", "D. Set up AWS Secrets Manager to store the EC2 SSH k ey. Create a new AWS Lambda" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center. The data center has an AWS Direct Connect connection into AWS. The application s that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center. Which solution will meet these requirements with th e LEAST administrative overhead?", "options": [ "A. Provision a set of EC2 instances across two Avail ability Zones in the VPC as caching DNS", "B. Provision an Amazon Route 53 private hosted zone. Configure NS records that point to on-", "C. Create DNS endpoints by using Amazon Route 53 Res olver. Add conditional forwarding", "D. Provision a new Active Directory domain controlle r in the VPC with a bidirectional trust" ], "correct": "C. Create DNS endpoints by using Amazon Route 53 Res olver. Add conditional forwarding", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company processes environmental data. The company has set up sensors to provide a continuous stream of data from different areas in a city. The data is available in JSON format. The company wants to use an AWS solution to send th e data to a database that does not require fixed schemas for storage. The data must be sent in real time. Which solution will meet these requirements?", "options": [ "A. Use Amazon Kinesis Data Firehose to send the data to Amazon Redshift.", "B. Use Amazon Kinesis Data Streams to send the data to Amazon DynamoDB.", "C. Use Amazon Managed Streaming for Apache Kafka (Am azon MSK) to send the data to", "D. Use Amazon Kinesis Data Firehose to send the data to Amazon Keyspaces (for Apache" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is migrating a legacy application from an on-premises data center to AWS. The application uses MongoDB as a key-value database. A ccording to the company's technical guidelines, all Amazon EC2 instances must be hosted in a private subnet without an internet connection. In addition, all connectivity between a pplications and databases must be encrypted. The database must be able to scale based on demand. Which solution will meet these requirements?", "options": [ "A. Create new Amazon DocumentDB (with MongoDB compat ibility) tables for the application", "B. Create new Amazon DynamoDB tables for the applica tion with on-demand capacity. Use a", "C. Create new Amazon DynamoDB tables for the applica tion with on-demand capacity. Use an", "D. Create new Amazon DocumentDB (with MongoDB compat ibility) tables for the application" ], "correct": "D. Create new Amazon DocumentDB (with MongoDB compat ibility) tables for the application", "explanation": "Explanation/Reference: Community vote distribution B (59%) D (30%) 11%", "references": "" }, { "question": "Topic 1 A company is running an application on Amazon EC2 i nstances in the AWS Cloud. The application is using a MongoDB database with a replica set as i ts data tier. The MongoDB database is installed on systems in the company's on-premises data center and is accessible through an AWS Direct Connect connection to the data center environment. A solutions architect must migrate the on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). Which strategy should the solutions architect choos e to perform this migration?", "options": [ "A. Create a fleet of EC2 instances. Install MongoDB Community Edition on the EC2 instances,", "B. Create an AWS Database Migration Service (AWS DMS ) replication instance. Create a", "C. Create a data migration pipeline by using AWS Dat a Pipeline. Define data nodes for the on-", "D. Create a source endpoint for the on-premises Mong oDB database by using AWS Glue" ], "correct": "B. Create an AWS Database Migration Service (AWS DMS ) replication instance. Create a", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is rearchitecting its applications to run on AWS. The company's infrastructure includes multiple Amazon EC2 instances. The company's develo pment team needs different levels of access. The company wants to implement a policy tha t requires all Windows EC2 instances to be joined to an Active Directory domain on AWS. The co mpany also wants to implement enhanced security processes such as multi-factor authenticat ion (MFA). The company wants to use managed AWS services wherever possible. Which solution will meet these requirements?", "options": [ "A. Create an AWS Directory Service for Microsoft Act ive Directory implementation. Launch an", "B. Create an AWS Directory Service for Microsoft Act ive Directory implementation. Launch an", "C. Create an AWS Directory Service Simple AD impleme ntation. Launch an EC2 instance.", "D. Create an AWS Directory Service Simple AD impleme ntation. Launch an Amazon" ], "correct": "A. Create an AWS Directory Service for Microsoft Act ive Directory implementation. Launch an", "explanation": "Explanation/Reference: Community vote distribution B (59%) A (41%)", "references": "" }, { "question": "A company wants to migrate its on-premises applicat ion to AWS. The database for the application stores structured product data and temporary user s ession data. The company needs to decouple the product data from the user session data. The co mpany also needs to implement replication in another AWS Region for disaster recovery. Which solution will meet these requirements with th e HIGHEST performance?", "options": [ "A. Create an Amazon RDS DB instance with separate sc hemas to host the product data and", "B. Create an Amazon RDS DB instance to host the prod uct data. Configure a read replica for", "C. Create two Amazon DynamoDB global tables. Use one global table to host the product", "D. Create an Amazon RDS DB instance to host the prod uct data. Configure a read replica for" ], "correct": "D. Create an Amazon RDS DB instance to host the prod uct data. Configure a read replica for", "explanation": "Explanation/Reference: Community vote distribution D (47%) C (33%) B (19%)", "references": "" }, { "question": "Topic 1 A company orchestrates a multi-account structure on AWS by using AWS Control Tower. The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor. The company has a specific OU for development accounts that developer s use to experiment on AWS. The company has hundreds of developers, and each developer has an individual development account. The company wants to optimize costs in these develo pment accounts. Amazon EC2 instances and Amazon RDS instances in these accounts must be burs table. The company wants to disallow the use of other services that are not relevant. What should a solutions architect recommend to meet these requirements?", "options": [ "A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable", "B. Create a custom detective control (guardrail) in AWS Control Tower. Configure the control", "C. Create a custom preventive control (guardrail) in AWS Control Tower. Configure the control", "D. Create an AWS Config rule in the AWS Control Towe r account. Configure the AWS Config" ], "correct": "A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable", "explanation": "Explanation/Reference: Community vote distribution C (72%) A (28%)", "references": "" }, { "question": "Topic 1 A financial services company runs a complex, multi- tier application on Amazon EC2 instances and AWS Lambda functions. The application stores tempor ary data in Amazon S3. The S3 objects are valid for only 45 minutes and are deleted after 24 hours. The company deploys each version of the application by launching an AWS CloudFormation stack. The stack creates all resources that are required t o run the application. When the company deploys and validates a new application version, the compan y deletes the CloudFormation stack of the old version. The company recently tried to delete the CloudForma tion stack of an old application version, but the operation failed. An analysis shows that CloudF ormation failed to delete an existing S3 bucket. A solutions architect needs to resolve this issue w ithout making major changes to the application's architecture. Which solution meets these requirements?", "options": [ "A. Implement a Lambda function that deletes all file s from a given S3 bucket. Integrate this", "B. Modify the CloudFormation template to provision a n Amazon Elastic File System (Amazon", "C. Modify the CloudF ormation stack to create an S3 Lifecycle rule that expires all objects 45", "D. Modify the CloudFormation stack to attach a Delet ionPolicy attribute with a value of Delete", "A. Implement the REST API using a Network Load Balan cer (NLB). Run the business logic on", "B. Implement the REST API using an Application Load Balancer (ALB). Run the business logic", "C. Implement the REST API using Amazon API Gateway. Run the business logic in AWS", "D. Implement the REST API using AWS AppSync. Run the business logic in AWS Lambda." ], "correct": "D. Implement the REST API using AWS AppSync. Run the business logic in AWS Lambda.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is migrating an application to the AWS Cl oud. The application runs in an on-premises data center and writes thousands of images into a m ounted NFS file system each night. After the company migrates the application, the company will host the application on an Amazon EC2 instance with a mounted Amazon Elastic File System (Amazon EFS) file system. The company has established an AWS Direct Connect c onnection to AWS. Before the migration cutover, a solutions architect must build a process that will replicate the newly created on- premises images to the EFS file system. What is the MOST operationally efficient way to rep licate the images?", "options": [ "A. Configure a periodic process to run the aws s3 sy nc command from the on-premises file", "B. Deploy an AWS Storage Gateway file gateway with a n NFS mount point. Mount the file", "D. Deploy an AWS DataSync agent to an on-premises se rver that has access to the NFS file" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company recently migrated a web application from an on-premises data center to the AWS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit r evealed that the web application is accessible by using both CloudFront and ALB endpoints. However , the company requires that the web application must be accessible only by using the Cl oudFront endpoint. Which solution will meet this requirement with the LEAST amount of effort?", "options": [ "A. Create a new security group and attach it to the CloudFront distribution. Update the ALB", "B. Update ALB security group ingress to allow access only from the", "C. Create a com.amazonaws.region.elasticloadbalancin g VPC interface endpoint for Elastic", "D. Extract CloudFront IPs from the AWS provided ip-r anges.json document. Update ALB" ], "correct": "A. Create a new security group and attach it to the CloudFront distribution. Update the ALB", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company hosts a community forum site using an App lication Load Balancer (ALB) and a Docker application hosted in an Amazon ECS cluster. The si te data is stored in Amazon RDS for MySQL and the container image is stored in ECR. The compa ny needs to provide their customers with a disaster recovery SLA with an RTO of no more than 2 4 hours and RPO of no more than 8 hours. Which of the following solutions is the MOST cost-e ffective way to meet the requirements?", "options": [ "A. Use AWS CloudFormation to deploy identical ALB, E C2, ECS and RDS resources in two", "B. Store the Docker image in ECR in two regions. Sch edule RDS snapshots every 8 hours with", "C. Use AWS CloudFormation to deploy identical ALB, E C2, ECS, and RDS resources in a", "D. Deploy a pilot light environment in a secondary r egion with an ALB and a minimal resource" ], "correct": "B. Store the Docker image in ECR in two regions. Sch edule RDS snapshots every 8 hours with", "explanation": "Explanation/Reference: Community vote distribution B (90%) 10%", "references": "" }, { "question": "Topic 1 A company is migrating its infrastructure to the AW S Cloud. The company must comply with a variety of regulatory standards for different proje cts. The company needs a multi-account environment. A solutions architect needs to prepare the baseline infrastructure. The solution must provide a consistent baseline of management and security, but it must allow flexibility for different compliance requirements within various AWS accounts . The solution also needs to integrate with the existing on-premises Active Directory Federatio n Services (AD FS) server. Which solution meets these requirements with the LE AST amount of operational overhead?", "options": [ "A. Create an organization in AWS Organizations. Crea te a single SCP for least privilege", "B. Create an organization in AWS Organizations. Enab le AWS Control Tower on the", "C. Create an organization in AWS Organizations. Crea te SCPs for least privilege access.", "D. Create an organization in AWS Organizations. Enab le AWS Control Tower on the" ], "correct": "D. Create an organization in AWS Organizations. Enab le AWS Control Tower on the", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 An online magazine will launch its latest edition t his month. This edition will be the first to be distributed globally. The magazine's dynamic websit e currently uses an Application Load Balancer in front of the web tier, a fleet of Amazon EC2 ins tances for web and application servers, and Amazon Aurora MySQL. Portions of the website includ e static content and almost all traffic is read-only. The magazine is expecting a significant spike in in ternet traffic when the new edition is launched. Optimal performance is a top priority for the week following the launch. Which combination of steps should a solutions archi tect take to reduce system response times for a global audience? (Choose two.)", "options": [ "A. Use logical cross-Region replication to replicate the Aurora MySQL database to a", "B. Ensure the web and application tiers are each in Auto Scaling groups. Introduce an AWS", "C. Migrate the database from Amazon Aurora to Amazon RDS for MySQL. Ensure all three of", "D. Use an Aurora global database for physical cross- Region replication. Use Amazon S3 with" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution DE (100%)", "references": "" }, { "question": "Topic 1 An online gaming company needs to optimize the cost of its workloads on AWS. The company uses a dedicated account to host the production env ironment for its online gaming application and an analytics application. Amazon EC2 instances host the gaming application an d must always be available. The EC2 instances run all year. The analytics application u ses data that is stored in Amazon S3. The analytics application can be interrupted and resume d without issue. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Purchase an EC2 Instance Savings Plan for the onl ine gaming application instances. Use", "B. Purchase an EC2 Instance Savings Plan for the onl ine gaming application instances. Use", "C. Use Spot Instances for the online gaming applicat ion and the analytics application. Set up", "D. Use On-Demand Instances for the online gaming app lication. Use Spot Instances for the" ], "correct": "B. Purchase an EC2 Instance Savings Plan for the onl ine gaming application instances. Use", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company runs applications in hundreds of producti on AWS accounts. The company uses AWS Organizations with all features enabled and has a c entralized backup operation that uses AWS Backup. The company is concerned about ransomware attacks. To address this concern, the company has created a new policy that all backups must be resil ient to breaches of privileged-user credentials in any production account. Which combination of steps will meet this new requi rement? (Choose three.)", "options": [ "A. Implement cross-account backup with AWS Backup va ults in designated non-production", "B. Add an SCP that restricts the modification of AWS Backup vaults.", "C. Implement AWS Backup Vault Lock in compliance mod e.", "D. Implement least privilege access for the IAM serv ice role that is assigned to AWS Backup." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABC (56%) ACD (24%) ACE (20%)", "references": "" }, { "question": "Topic 1 A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of creation. The central logging account will then process the logs, normali ze the logs into standard output format, and stream the output logs to a security tool for more processing. A solutions architect must design a solution that c an handle a large volume of logging data that needs to be ingested. Less logging will occur outsi de normal business hours than during normal business hours. The logging solution must scale wit h the anticipated load. The solutions architect has decided to use an AWS Control Tower design to h andle the multi-account logging process. Which combination of steps should the solutions arc hitect take to meet the requirements? (Choose three.)", "options": [ "A. Create a destination Amazon Kinesis data stream i n the central logging account.", "B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central", "C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the", "D. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (100%)", "references": "" }, { "question": "Topic 1 A company is migrating a legacy application from an on-premises data center to AWS. The application consists of a single application server and a Microsoft SQL Server database server. Each server is deployed on a VMware VM that consume s 500 TB of data across multiple attached volumes. The company has established a 10 Gbps AWS Direct Co nnect connection from the closest AWS Region to its on-premises data center. The Direct C onnect connection is not currently in use by other services. Which combination of steps should a solutions archi tect take to migrate the application with the LEAST amount of downtime? (Choose two.)", "options": [ "A. Use an AWS Server Migration Service (AWS SMS) rep lication job to migrate the database", "B. Use VM Import/Export to import the application se rver VM.", "C. Export the VM images to an AWS Snowball Edge Stor age Optimized device.", "D. Use an AWS Server Migration Service (AWS SMS) rep lication job to migrate the application" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution DE (59%) AD (31%) 8%", "references": "" }, { "question": "Topic 1 A company operates a fleet of servers on premises a nd operates a fleet of Amazon EC2 instances in its organization in AWS Organizations. The compa ny's AWS accounts contain hundreds of VPCs. The company wants to connect its AWS accounts to it s on-premises network. AWS Site-to-Site VPN connections are already established to a single AWS account. The company wants to control which VPCs can communicate with other VPCs. Which combination of steps will achieve this level of control with the LEAST operational effort? (Choose three.)", "options": [ "A. Create a transit gateway in an AWS account. Share the transit gateway across accounts by", "B. Configure attachments to all VPCs and VPNs.", "C. Setup transit gateway route tables. Associate the VPCs and VPNs with the route tables. \u00b7", "D. Configure VPC peering between the VPCs." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABC (63%) ACE (37%)", "references": "" }, { "question": "Topic 1 A company needs to optimize the cost of its applica tion on AWS. The application uses AWS Lambda functions and Amazon Elastic Container Servi ce (Amazon ECS) containers that run on AWS Fargate. The application is write-heavy and sto res data in an Amazon Aurora MySQL database. The load on the application is not consistent. The application experiences long periods of no usage, followed by sudden and significant increases and decreases in traffic. The database runs on a memory optimized DB instance that cannot handl e the load. A solutions architect must design a solution that c an scale to handle the changes in traffic. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Add additional read replicas to the database. Pur chase Instance Savings Plans and RDS", "B. Migrate the database to an Aurora DB cluster that has multiple writer instances. Purchase", "C. Migrate the database to an Aurora global database . Purchase Compute Savings Plans and", "D. Migrate the database to Aurora Serverless v1. Pur chase Compute Savings Plans." ], "correct": "B. Migrate the database to an Aurora DB cluster that has multiple writer instances. Purchase", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company migrated an application to the AWS Cloud. The application runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) . Application data is stored in a MySQL database that runs on an additional EC2 instance. The application's use of the database is read-heavy. The application loads static content from Amazon El astic Block Store (Amazon EBS) volumes that are attached to each EC2 instance. The static conte nt is updated frequently and must be copied to each EBS volume. The load on the application changes throughout the day. During peak hours, the application cannot handle all the incoming requests. Trace data shows that the database cannot handle the read load during peak hours. Which solution will improve the reliability of the application?", "options": [ "A. Migrate the application to a set of AWS Lambda fu nctions. Set the Lambda functions as", "B. Migrate the application to a set of AWS Step Func tions state machines. Set the state", "C. Containerize the application. Migrate the applica tion to an Amazon Elastic Container", "D. Containerize the application. Migrate the applica tion to an Amazon Elastic Container" ], "correct": "B. Migrate the application to a set of AWS Step Func tions state machines. Set the state", "explanation": "Explanation/Reference: Community vote distribution D (89%) 11%", "references": "" }, { "question": "Topic 1 A solutions architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint. The s olutions architect wants an end-to-end view of each request to analyze the latency of the request and create service maps. How can the solutions architect design the API Gate way access control and perform request inspections?", "options": [ "A. For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or", "C. Create an AWS Lambda function as the custom autho rizer, ask the API client to pass the", "D. Create a client certificate for API Gateway. Dist ribute the certificate to the AWS users and" ], "correct": "A. For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is using AWS CodePipeline for the CI/CD o f an application to an Amazon EC2 Auto Scaling group. All AWS resources are defined in AWS CloudFormation templates. The application artifacts are stored in an Amazon S3 bucket and dep loyed to the Auto Scaling group using instance user data scripts. As the application has become mo re complex, recent resource changes in the CloudFormation templates have caused unplanned down time. How should a solutions architect improve the CI/CD pipeline to reduce the likelihood that changes in the templates will cause downtime?", "options": [ "A. Adapt the deployment scripts to detect and report CloudFormation error conditions when", "B. Implement automated testing using AWS CodeBuild i n a test environment. Use", "C. Use plugins for the integrated development enviro nment (IDE) to check the templates for", "D. Use AWS CodeDeploy and a blue/green deployment pa ttern with CloudFormation to" ], "correct": "D. Use AWS CodeDeploy and a blue/green deployment pa ttern with CloudFormation to", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A North American company with headquarters on the E ast Coast is deploying a new web application running on Amazon EC2 in the us-east-1 Region. The application should dynamically scale to meet user demand and maintain resiliency. Additionally, the application must have disaster recovery capabilities in an active-passive configuration with the us-west-1 Region. Which steps should a solutions architect take after creating a VPC in the us-east-1 Region?", "options": [ "A. Create a VPC in the us-west-1 Region. Use inter-R egion VPC peering to connect both VPCs.", "B. Deploy an Application Load Balancer (ALB) spannin g multiple Availability Zones (AZs) to", "C. Create a VPC in the us-west-1 Region. Use inter-R egion VPC peering to connect both VPCs.", "D. Deploy an Application Load Balancer (ALB) spannin g multiple Availability Zones (AZs) to" ], "correct": "A. Create a VPC in the us-west-1 Region. Use inter-R egion VPC peering to connect both VPCs.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has a legacy application that runs on mul tiple NET Framework components. The components share the same Microsoft SQL Server data base and communicate with each other asynchronously by using Microsoft Message Queueing (MSMQ). The company is starting a migration to containerize d .NET Core components and wants to refactor the application to run on AWS. The .NET Core compon ents require complex orchestration. The company must have full control over networking and host configuration. The application's database model is strongly relational. Which solution will meet these requirements?", "options": [ "A. Host the INET Core components on AWS App Runner. Host the database on Amazon RDS", "C. Host the .NET Core components on AWS Elastic Bean stalk. Host the database on Amazon", "D. Host the NET Core components on Amazon Elastic Co ntainer Service (Amazon ECS) with" ], "correct": "A. Host the INET Core components on AWS App Runner. Host the database on Amazon RDS", "explanation": "Explanation/Reference: Community vote distribution D (96%) 4%", "references": "" }, { "question": "Topic 1 A solutions architect has launched multiple Amazon EC2 instances in a placement group within a single Availability Zone. Because of additional loa d on the system, the solutions architect attempts to add new instances to the placement group. Howeve r, the solutions architect receives an insufficient capacity error. What should the solutions architect do to troublesh oot this issue?", "options": [ "A. Use a spread placement group. Set a minimum of ei ght instances for each Availability", "B. Stop and start all the instances in the placement group. Try the launch again.", "C. Create a new placement group. Merge the new place ment group with the original", "D. Launch the additional instances as Dedicated Host s in the placement groups." ], "correct": "C. Create a new placement group. Merge the new place ment group with the original", "explanation": "Explanation/Reference: Community vote distribution B (87%) 13%", "references": "" }, { "question": "Topic 1 A company has used infrastructure as code (IaC) to provision a set of two Amazon EC2 instances. The instances have remained the same for several ye ars. The company's business has grown rapidly in the pas t few months. In response, the company's operations team has implemented an Auto Scaling gro up to manage the sudden increases in traffic. Company policy requires a monthly installa tion of security updates on all operating systems that are running. The most recent security update required a reboot. As a result, the Auto Scaling group terminated the instances and replaced them with new, unpatched instances. Which combination of steps should a solutions archi tect recommend to avoid a recurrence of this issue? (Choose two.)", "options": [ "A. Modify the Auto Scaling group by setting the Upda te policy to target the oldest launch", "B. Create a new Auto Scaling group before the next p atch maintenance. During the", "C. Create an Elastic Load Balancer in front of the A uto Scaling group. Configure monitoring to", "D. Create automation scripts to patch an AMI, update the launch configuration, and invoke an" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution CD (48%) AD (26%) AC (23%) 3%", "references": "" }, { "question": "Topic 1 A team of data scientists is using Amazon SageMaker instances and SageMaker APIs to train machine learning (ML) models. The SageMaker instanc es are deployed in a VPC that does not have access to or from the internet. Datasets for M L model training are stored in an Amazon S3 bucket. Interface VPC endpoints provide access to A mazon S3 and the SageMaker APIs. Occasionally, the data scientists require access to the Python Package Index (PyPI) repository to update Python packages that they use as part of the ir workflow. A solutions architect must provide access to the PyPI repository while ensuring that t he SageMaker instances remain isolated from the internet. Which solution will meet these requirements?", "options": [ "A. Create an AWS CodeCommit repository for each pack age that the data scientists need to", "B. Create a NAT gateway in the VPC. Configure VPC ro utes to allow access to the internet", "C. Create a NAT instance in the VPConfigure VPC rout es to allow access to the internet. \u00b7", "D. Create an AWS CodeArtifact domain and repository. Add an external connection for" ], "correct": "C. Create a NAT instance in the VPConfigure VPC rout es to allow access to the internet. \u00b7", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A solutions architect works for a government agency that has strict disaster recovery requirements. All Amazon Elastic Block Store (Amazo n EBS) snapshots are required to be saved in at least two additional AWS Regions. The agency als o is required to maintain the lowest possible operational overhead. Which solution meets these requirements?", "options": [ "A. Configure a policy in Amazon Data Lifecycle Manag er (Amazon DLM) to run once daily to", "B. Use Amazon EventBridge to schedule an AWS Lambda function to copy the EBS snapshots", "C. Setup AWS Backup to create the EBS snapshots. Con figure Amazon S3 Cross-Region", "D. Schedule Amazon EC2 Image Builder to run once dai ly to create an AMI and copy the AMI" ], "correct": "A. Configure a policy in Amazon Data Lifecycle Manag er (Amazon DLM) to run once daily to", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A company has a project that is launching Amazon EC 2 instances that are larger than required. The project's account cannot be part of the company's o rganization in AWS Organizations due to policy restrictions to keep this activity outside of corpo rate IT. The company wants to allow only the launch of t3.small EC2 instances by developers in t he project's account. These EC2 instances must be restricted to the us-east-2 Region. What should a solutions architect do to meet these requirements?", "options": [ "A. Create a new developer account. Move all EC2 inst ances, users, and assets into us-east-2. \u00b7", "B. Create an SCP that denies the launch of all EC2 i nstances except t3.small EC2 instances in", "C. Create and purchase a t3.small EC2 Reserved Insta nce for each developer in us-east-2.", "D. Create an IAM policy than allows the launch of on ly t3.small EC2 instances in us-east-2." ], "correct": "B. Create an SCP that denies the launch of all EC2 i nstances except t3.small EC2 instances in", "explanation": "Explanation/Reference: Community vote distribution D (90%) 10%", "references": "" }, { "question": "Topic 1 A scientific company needs to process text and imag e data from an Amazon S3 bucket. The data is collected from several radar stations during a l ive, time-critical phase of a deep space mission. The radar stations upload the data to the source S3 bucket. The data is prefixed by radar station identification number. The company created a destination S3 bucket in a se cond account. Data must be copied from the source S3 bucket to the destination S3 bucket to me et a compliance objective. This replication occurs through the use of an S3 replication rule to cover all objects in the source S3 bucket. One specific radar station is identified as having the most accurate data. Data replication at this radar station must be monitored for completion with in 30 minutes after the radar station uploads the objects to the source S3 bucket. What should a solutions architect do to meet these requirements?", "options": [ "A. Setup an AWS DataSync agent to replicate the pref ixed data from the source S3 bucket to", "B. In the second account, create another S3 bucket t o receive data from the radar station with", "C. Enable Amazon S3 Transfer Acceleration on the sou rce S3 bucket, and configure the radar", "D. Create a new S3 replication rule on the source S3 bucket that filters for the keys that use" ], "correct": "C. Enable Amazon S3 Transfer Acceleration on the sou rce S3 bucket, and configure the radar", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate its on-premises data cen ter to the AWS Cloud. This includes thousands of virtualized Linux and Microsoft Window s servers, SAN storage, Java and PHP applications with MySQL, and Oracle databases. Ther e are many dependent services hosted either in the same data center or externally. The technica l documentation is incomplete and outdated. A solutions architect needs to understand the current environment and estimate the cloud resource costs after the migration. Which tools or services should the solutions archit ect use to plan the cloud migration? (Choose three.)", "options": [ "A. AWS Application Discovery Service", "B. AWS SMS", "C. AWS X-Ray", "D. AWS Cloud Adoption Readiness Tool (CART)" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ADF (76%) 10% 10%", "references": "" }, { "question": "Topic 1 A solutions architect is reviewing an application's resilience before launch. The application runs on an Amazon EC2 instance that is deployed in a privat e subnet of a VPC. The EC2 instance is provisioned by an Auto Scaling group that has a min imum capacity of 1 and a maximum capacity of 1. The application stores data on an Amazon RDS for MySQL DB instance. The VPC has subnets configured in three Availability Zones and is confi gured with a single NAT gateway. The solutions architect needs to recommend a soluti on to ensure that the application will operate across multiple Availability Zones. Which solution will meet this requirement? A. Deploy an additional NAT gateway in the other Ava ilability Zones. Update the route tables \u00b7 with appropriate routes. Modify the RDS for MySQL D B instance to a Multi-AZ configuration. Configure the Auto Scaling group to launch the inst ances across Availability Zones. Set the minimum capacity and maximum capacity of the Auto S caling group to 3.", "options": [ "B. Replace the NAT gateway with a virtual private ga teway. Replace the RDS for MySQL DB", "C. Replace the NAT gateway with a NAT instance. Migr ate the RDS for MySQL DB instance to", "D. Deploy an additional NAT gateway in the other Ava ilability Zones. Update the route tables" ], "correct": "C. Replace the NAT gateway with a NAT instance. Migr ate the RDS for MySQL DB instance to", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate its on-premises tr ansaction-processing application to AWS. The application runs inside Docker containers that are hosted on VMs in the company's data center. The Docker containers have shared storage where the application records transaction data. The transactions are time sensitive. The volume of transactions inside the application is unpredictable. The company must implement a low-lat ency storage solution that will automatically scale throughput to meet increased demand. The comp any cannot develop the application further and cannot continue to administer the Docker hostin g environment. How should the company migrate the application to A WS to meet these requirements?", "options": [ "A. Migrate the containers that run the application t o Amazon Elastic Kubernetes Service", "B. Migrate the containers that run the application t o AWS Fargate for Amazon Elastic", "C. Migrate the containers that run the application t o AWS Fargate for Amazon Elastic", "D. Launch Amazon EC2 instances. Install Docker on th e EC2 instances. Migrate the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate to the AWS Cloud. The company hosts many applications on Windows servers and Linux servers. Some of the serv ers are physical, and some of the servers are virtual. The company uses several types of database s in its on-premises environment. The company does not have an accurate inventory of its on-premises servers and applications. The company wants to rightsize its resources during migration. A solutions architect needs to obtain information about the network connections an d the application relationships. The solutions architect must assess the company's current environ ment and develop a migration plan. Which solution will provide the solutions architect with the required information to develop the migration plan?", "options": [ "A. Use Migration Evaluator to request an evaluation of the environment from AWS. Use the", "B. Use AWS Migration Hub and install the AWS Applica tion Discovery Agent on the servers.", "C. Use AWS Migration Hub and run the AWS Application Discovery Service Agentless", "D. Use the AWS Migration Hub import tool to load the details of the company's on-premises" ], "correct": "D. Use the AWS Migration Hub import tool to load the details of the company's on-premises", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A financial services company sells its software-as- a-service (SaaS) platform for application compliance to large global banks. The SaaS platform runs on AWS and uses multiple AWS accounts that are managed in an organization in AWS Organizations. The SaaS platform uses many AWS resources globally. For regulatory compliance, all API calls to AWS res ources must be audited, tracked for changes, and stored in a durable and secure data store. Which solution will meet these requirements with th e LEAST operational overhead? A. Create a new AWS CloudTrail trail. Use an existin g Amazon S3 bucket in the organization's \u00b7 management account to store the logs. Deploy the tr ail to all AWS Regions. Enable MFA delete and encryption on the S3 bucket.", "options": [ "B. Create a new AWS CloudTrail trail in each member account of the organization. Create new", "C. Create a new AWS CloudTrail trail in the organiza tion's management account. Create a new", "D. Create a new AWS CloudTrail trail in the organiza tion's management account. Create a new" ], "correct": "C. Create a new AWS CloudTrail trail in the organiza tion's management account. Create a new", "explanation": "Explanation/Reference: Community vote distribution C (92%) 8%", "references": "" }, { "question": "Topic 1 A company is deploying a distributed in-memory data base on a fleet of Amazon EC2 instances. The fleet consists of a primary node and eight work er nodes. The primary node is responsible for monitoring cluster health, accepting user requests, distributing user requests to worker nodes, and sending an aggregate response back to a client. Wor ker nodes communicate with each other to replicate data partitions. The company requires the lowest possible networking latency to achieve maximum performance. Which solution will meet these requirements?", "options": [ "A. Launch memory optimized EC2 instances in a partit ion placement group.", "B. Launch compute optimized EC2 instances in a parti tion placement group.", "C. Launch memory optimized EC2 instances in a cluste r placement group.", "D. Launch compute optimized EC2 instances in a sprea d placement group." ], "correct": "C. Launch memory optimized EC2 instances in a cluste r placement group.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company maintains information on premises in appr oximately 1 million.csv files that are hosted on a VM. The data initially is 10 TB in size and gr ows at a rate of 1 TB each week. The company needs to automate backups of the data to the AWS Cl oud. Backups of the data must occur daily. The company n eeds a solution that applies custom filters to back up only a subset of the data that is located i n designated source directories. The company has set up an AWS Direct Connect connection. Which solution will meet the backup requirements wi th the LEAST operational overhead?", "options": [ "A. Use the Amazon S3 CopyObject API operation with m ultipart upload to copy the existing", "B. Create a backup plan in AWS Backup to back up the data to Amazon S3. Schedule the", "C. Install the AWS DataSync agent as a VM that runs on the on-premises hypervisor.", "D. Use an AWS Snowball Edge device for the initial b ackup. Use AWS DataSync for" ], "correct": "D. Use an AWS Snowball Edge device for the initial b ackup. Use AWS DataSync for", "explanation": "Explanation/Reference: Community vote distribution C (87%) 13%", "references": "" }, { "question": "Topic 1 A financial services company has an asset managemen t product that thousands of customers use around the world. The customers provide feedback ab out the product through surveys. The company is building a new analytical solution that runs on Amazon EMR to analyze the data from these surveys. The following user personas need to access the analytical solution to perform different actions: \u00b7 Administrator: Provisions the EMR cluster for the analytics team based on the team's requirements \u00b7 Data engineer: Runs ETL scripts to process, trans form, and enrich the datasets \u00b7 Data analyst: Runs SQL and Hive queries on the da ta A solutions architect must ensure that all the user personas have least privilege access to only the resources that they need. The user personas must be able to launch only applications that are approved and authorized. The solution also must ens ure tagging for all resources that the user personas create. Which solution will meet these requirements?", "options": [ "A. Create IAM roles for each user persona. Attach id entity-based policies to define which", "C. Use AWS Service Catalog to control the Amazon EMR versions available for deployment,", "D. Launch the EMR cluster by using AWS CloudFormatio n, Attach resource-based policies to" ], "correct": "A. Create IAM roles for each user persona. Attach id entity-based policies to define which", "explanation": "Explanation/Reference: Community vote distribution C (81%) A (19%)", "references": "" }, { "question": "Topic 1 A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary so ftware that runs on three Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's cu stomers are in eu-west-2. However, the company now acquires a new customer in the us-east-1 Region. The company creates a new VPC and new subnets in us-east-1. The company establishes inter-Region VPC peering between the VPCs in the two Regions. The company wants to give the new customer access t o the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-1. Which solution will meet these requirements?", "options": [ "A. Configure a PrivateLink endpoint service in us-ea st-1 to use the existing NLB that is in eu-", "B. Create an NLB in us-east-1. Create an IP target g roup that uses the IP addresses of the", "C. Create an Application Load Balancer (ALB) in fron t of the EC2 instances in eu-west-2.", "D. Use AWS Resource Access Manager (AWS RAM) to shar e the EC2 instances that are in eu-" ], "correct": "D. Use AWS Resource Access Manager (AWS RAM) to shar e the EC2 instances that are in eu-", "explanation": "Explanation/Reference: Community vote distribution A (61%) B (39%)", "references": "" }, { "question": "Topic 1 A company needs to monitor a growing number of Amaz on S3 buckets across two AWS Regions. The company also needs to track the percentage of o bjects that are encrypted in Amazon S3. The company needs a dashboard to display this informati on for internal compliance teams. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create a new 3 Storage Lens dashboard in each Reg ion to track bucket and encryption", "B. Deploy an AWS Lambda function in each Region to l ist the number of buckets and the", "C. Use the S3 Storage Lens default dashboard to trac k bucket and encryption metrics. Give", "D. Create an Amazon EventBridge rule to detect AWS C loudTrail events for S3 object creation." ], "correct": "B. Deploy an AWS Lambda function in each Region to l ist the number of buckets and the", "explanation": "Explanation/Reference: Community vote distribution C (84%) Other", "references": "" }, { "question": "Topic 1 A company's CISO has asked a solutions architect to re-engineer the company's current CI/CD practices to make sure patch deployments to its app lication can happen as quickly as possible with minimal downtime if vulnerabilities are discov ered. The company must also be able to quickly roll back a change in case of errors. The web application is deployed in a fleet of Amazo n EC2 instances behind an Application Load Balancer. The company is currently using GitHub to host the application source code, and has configured an AWS CodeBuild project to build the ap plication. The company also intends to use AWS CodePipeline to trigger builds from GitHub comm its using the existing CodeBuild project. What CI/CD configuration meets all of the requireme nts?", "options": [ "A. Configure CodePipeline with a deploy stage using AWS CodeDeploy configured for in-place", "B. Configure CodePipeline with a deploy stage using AWS CodeDeploy configured for", "C. Configure CodePipeline with a deploy stage using AWS CloudFormation to create a", "D. Configure the CodePipeline with a deploy stage us ing AWS OpsWorks and in-place" ], "correct": "C. Configure CodePipeline with a deploy stage using AWS CloudFormation to create a", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is managing many AWS accounts by using an organization in AWS Organizations. Different business units in the company run applica tions on Amazon EC2 instances. All the EC2 instances must have a BusinessUnit tag so that the company can track the cost for each business unit. A recent audit revealed that some instances were mi ssing this tag. The company manually added the missing tag to the instances. What should a solutions architect do to enforce the tagging requirement in the future?", "options": [ "A. Enable tag policies in the organization. Create a tag policy for the BusinessUnit tag. Ensure", "B. Enable tag policies in the organization. Create a tag policy for the BusinessUnit tag. Ensure", "C. Create an SCP and attach the SCP to the root of t he organization. Include the following" ], "correct": "B. Enable tag policies in the organization. Create a tag policy for the BusinessUnit tag. Ensure", "explanation": "Explanation/Reference: Community vote distribution C (67%) B (25%) 6%", "references": "" }, { "question": "Topic 1 A company is running a workload that consists of th ousands of Amazon EC2 instances. The workload is running in a VPC that contains several public subnets and private subnets. The public subnets have a route for 0.0.0.0/0 to an existing i nternet gateway. The private subnets have a route for 0.0.0.0/0 to an existing NAT gateway. A solutions architect needs to migrate the entire f leet of EC2 instances to use IPv6. The EC2 instances that are in private subnets must not be a ccessible from the public internet. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Update the existing VPC, and associate a custom I Pv6 CIDR block with the VPC and all", "B. Update the existing VPC, and associate an Amazon- provided IPv6 CIDR block with the VPC", "C. Update the existing VPC, and associate an Amazon- provided IPv6 CIDR block with the VPC", "D. Update the existing VPC, and associate a custom I PV6 CIDR block with the VPC and all" ], "correct": "C. Update the existing VPC, and associate an Amazon- provided IPv6 CIDR block with the VPC", "explanation": "Explanation/Reference: Community vote distribution C (91%) 9%", "references": "" }, { "question": "Topic 1 A company is using Amazon API Gateway to deploy a p rivate REST API that will provide access to sensitive data. The API must be accessible only fro m an application that is deployed in a VPC. The company deploys the API successfully. However, the API is not accessible from an Amazon EC2 instance that is deployed in the VPC. Which solution will provide connectivity between th e EC2 instance and the API?", "options": [ "A. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows", "B. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows", "C. Create a Network Load Balancer (NLB) and a VPC li nk. Configure private integration", "D. Create an Application Load Balancer (ALB) and a V PC Link. Configure private integration" ], "correct": "D. Create an Application Load Balancer (ALB) and a V PC Link. Configure private integration", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A large payroll company recently merged with a smal l staffing company. The unified company now has multiple business units, each with its own exis ting AWS account. A solutions architect must ensure that the company can centrally manage the billing and access policies for all the AWS accounts. The solutions ar chitect configures AWS Organizations by sending an invitation to all member accounts of the company from a centralized management account. What should the solutions architect do next to meet these requirements?", "options": [ "A. Create the OrganizationAccountAccess IAM group in each member account. Include the", "B. Create the OrganizationAccountAccessPolicy IAM po licy in each member account.", "C. Create the OrganizationAccountAccessRole IAM role in each member account. Grant", "D. Create the OrganizationAccountAccessRole IAM role in the management account. Attach" ], "correct": "B. Create the OrganizationAccountAccessPolicy IAM po licy in each member account.", "explanation": "Explanation/Reference: Community vote distribution C (90%) 10%", "references": "" }, { "question": "Topic 1 A company has application services that have been c ontainerized and deployed on multiple Amazon EC2 instances with public IPs. An Apache Kaf ka cluster has been deployed to the EC2 instances. A PostgreSQL database has been migrated to Amazon RDS for PostgreSQL. The company expects a significant increase of orders on its platform when a new version of its flagship product is released. What changes to the current architecture will reduc e operational overhead and support the product release?", "options": [ "A. Create an EC2 Auto Scaling group behind an Applic ation Load Balancer. Create additional", "B. Create an EC2 Auto Scaling group behind an Applic ation Load Balancer. Deploy the DB \u00b7", "C. Deploy the application on a Kubernetes cluster cr eated on the EC2 instances behind an", "D. Deploy the application on Amazon Elastic Kubernet es Service (Amazon EKS) with AWS" ], "correct": "A. Create an EC2 Auto Scaling group behind an Applic ation Load Balancer. Create additional", "explanation": "Explanation/Reference: Community vote distribution D (95%) 5%", "references": "" }, { "question": "Topic 1 A company hosts a VPN in an on-premises data center . Employees currently connect to the VPN to access files in their Windows home directories. Rec ently, there has been a large growth in the number of employees who work remotely. As a result, bandwidth usage for connections into the data center has begun to reach 100% during business hours. The company must design a solution on AWS that will support the growth of the company's remote workforce, reduce the bandwidth usage for connectio ns into the data center, and reduce operational overhead. Which combination of steps will meet these requirem ents with the LEAST operational overhead? (Choose two.)", "options": [ "A. Create an AWS Storage Gateway Volume Gateway. Mou nt a volume from the Volume", "B. Migrate the home directories to Amazon FSx for Wi ndows File Server.", "C. Migrate the home directories to Amazon FSx for Lu stre.", "D. Migrate remote users to AWS Client VPN." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (100%)", "references": "" }, { "question": "Topic 1 A company has multiple AWS accounts. The company re cently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances. A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Addit ionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the", "B. Use the AWS CLI to list all the unencrypted volum es in all the AWS accounts. Run a script", "C. Create a snapshot of each unencrypted volume. Cre ate a new encrypted volume from the", "D. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (80%) AE (20%)", "references": "" }, { "question": "Topic 1 A company hosts an intranet web application on Amaz on EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database. The company needs to authenticate users to the appl ication by using an existing AWS Directory Service for Microsoft Active Directory directory. A ll users with accounts in the directory must have access to the application. Which solution will meet these requirements?", "options": [ "A. Create a new app client in the directory. Create a listener rule for the ALB. Specify the", "B. Configure an Amazon Cognito user pool. Configure the user pool with a federated identity", "C. Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an", "D. Enable AWS IAM Identity Center (AWS Single Sign-O n). Configure the directory as an" ], "correct": "C. Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an", "explanation": "Explanation/Reference: Community vote distribution B (51%) D (41%) 8%", "references": "" }, { "question": "Topic 1 A company has a website that serves many visitors. The company deploys a backend service for the website in a primary AWS Region and a disaster recovery (DR) Region. A single Amazon CloudFront distribution is deployed for the website. The company creates an Amazon Route 53 record set with health checks and a failover routing policy for the primary Region's backend service. The company configures th e Route 53 record set as an origin for the CloudFront distribution. The company configures ano ther record set that points to the backend service's endpoint in the DR Region as a secondary failover record type. The TTL for both record sets is 60 seconds. Currently, failover takes more than 1 minute. A sol utions architect must design a solution that will provide the fastest failover time. Which solution will achieve this goal?", "options": [ "A. Deploy an additional CloudFront distribution. Cre ate a new Route 53 failover record set", "B. Set the TTL to 4 second for the existing Route 53 record sets that are used for the backend", "C. Create new record sets for the backend services b y using a latency routing policy. Use the", "D. Create a CloudFront origin group that includes tw o origins, one for each backend service" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company is using multiple AWS accounts and has mu ltiple DevOps teams running production and non-production workloads in these accounts. The company would like to centrally-restrict access to some of the AWS services that the DevOps teams do not use. The company decided to use AWS Organizations and successfully invited all AWS accounts into the Organization. They would like to allow access to services that are cur rently in-use and deny a few specific services. Also they would like to administer multiple account s together as a single unit. What combination of steps should the solutions arch itect take to satisfy these requirements? (Choose three.)", "options": [ "A. Use a Deny list strategy.", "B. Review the Access Advisor in AWS IAM to determine services recently used", "C. Review the AWS Trusted Advisor report to determin e services recently used.", "D. Remove the default FullAWSAccess SCP." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABE (92%) 8%", "references": "" }, { "question": "Topic 1 A live-events company is designing a scaling soluti on for its ticket application on AWS. The application has high peaks of utilization during sa le events. Each sale event is a one-time event that is scheduled. The application runs on Amazon E C2 instances that are in an Auto Scaling group. The application uses PostgreSQL for the data base layer. The company needs a scaling solution to maximize av ailability during the sale events. Which solution will meet these requirements?", "options": [ "A. Use a predictive scaling policy for the EC2 insta nces. Host the database on an Amazon", "B. Use a scheduled scaling policy for the EC2 instan ces. Host the database on an Amazon", "C. Use a predictive scaling policy for the EC2 insta nces. Host the database on an Amazon", "D. Use a scheduled scaling policy for the EC2 instan ces. Host the database on an Amazon" ], "correct": "B. Use a scheduled scaling policy for the EC2 instan ces. Host the database on an Amazon", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company runs an intranet application on premises. The company wants to configure a cloud backup of the application. The company has selected AWS Elastic Disaster Recovery for this solution. The company requires that replication traffic does not travel through the public internet. The application also must not be accessible from the in ternet. The company does not want this solution to consume all available network bandwidth because other applications require bandwidth. Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Create a VPC that has at least two private subnet s, two NAT gateways, and a virtual private", "B. Create a VPC that has at least two public subnets , a virtual private gateway, and an internet", "C. Create an AWS Site-to-Site VPN connection between the on-premises network and the", "D. Create an AWS Direct Connect connection and a Dir ect Connect gateway between the on-" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ADE (73%) 9% Other", "references": "" }, { "question": "Topic 1 A company that provides image storage services want s to deploy a customer-facing solution to AWS. Millions of individual customers will use the solution. The solution will receive batches of large image files, resize the files, and store the files in an Amazon S3 bucket for up to 6 months. The solution must handle significant variance in de mand. The solution must also be reliable at enterprise scale and have the ability to rerun proc essing jobs in the event of failure. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Use AWS Step Functions to process the S3 event th at occurs when a user stores an image.", "B. Use Amazon EventBridge to process the S3 event th at occurs when a user uploads an", "C. Use S3 Event Notifications to invoke an AWS Lambd a function when a user stores an", "D. Use Amazon Simple Queue Service (Amazon SQS) to p rocess the S3 event that occurs" ], "correct": "D. Use Amazon Simple Queue Service (Amazon SQS) to p rocess the S3 event that occurs", "explanation": "Explanation/Reference: Community vote distribution B (45%) D (26%) A (23%) 4%", "references": "" }, { "question": "A company has an organization in AWS Organizations that includes a separate AWS account for each of the company's departments. Application team s from different departments develop and deploy solutions independently. The company wants to reduce compute costs and manag e costs appropriately across departments. The company also wants to improve visi bility into billing for individual departments. The company does not want to lose operational flexi bility when the company selects compute resources. Which solution will meet these requirements?", "options": [ "A. Use AWS Budgets for each department. Use Tag Edit or to apply tags to appropriate", "B. Configure AWS Organizations to use consolidated b illing. Implement a tagging strategy", "C. Configure AWS Organizations to use consolidated b illing. Implement a tagging strategy", "D. Use AWS Budgets for each department. Use SCPs to apply tags to appropriate resources." ], "correct": "C. Configure AWS Organizations to use consolidated b illing. Implement a tagging strategy", "explanation": "Explanation/Reference: Community vote distribution C (86%) 14%", "references": "" }, { "question": "Topic 1 A company has a web application that securely uploa ds pictures and videos to an Amazon S3 bucket. The company requires that only authenticate d users are allowed to post content. The application generates a presigned URL that is used to upload objects through a browser interface. Most users are reporting slow upload times for obje cts larger than 100 MB. What can a solutions architect do to improve the pe rformance of these uploads while ensuring only authenticated users are allowed to post content?", "options": [ "A. Set up an Amazon API Gateway with an edge-optimiz ed API endpoint that has a resource", "B. Set up an Amazon API Gateway with a regional API endpoint that has a resource as an S3", "C. Enable an S3 Transfer Acceleration endpoint on th e S3 bucket. Use the endpoint when", "D. Configure an Amazon CloudFront distribution for t he destination S3 bucket. Enable PUT" ], "correct": "B. Set up an Amazon API Gateway with a regional API endpoint that has a resource as an S3", "explanation": "Explanation/Reference: Community vote distribution C (76%) A (19%) 5%", "references": "" }, { "question": "Topic 1 A large company is migrating its entire IT portfoli o to AWS. Each business unit in the company has a standalone AWS account that supports both develop ment and test environments. New accounts to support production workloads will be needed soon . The finance department requires a centralized metho d for payment but must maintain visibility into each group's spending to allocate costs. The security team requires a centralized mechanism to control IAM usage in all the company's accounts. What combination of the following options meets the company's needs with the LEAST effort? (Choose two.)", "options": [ "A. Use a collection of parameterized AWS CloudFormat ion templates defining common IAM", "B. Use AWS Organizations to create a new organizatio n from a chosen payer account and", "C. Require each business unit to use its own AWS acc ounts. Tag each AWS account", "D. Enable all features of AWS Organizations and esta blish appropriate service control policies" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BD (68%) BC (32%)", "references": "" }, { "question": "Topic 1 A company has a solution that analyzes weather data from thousands of weather stations. The weather stations send the data over an Amazon API G ateway REST API that has an AWS Lambda function integration. The Lambda function calls a t hird-party service for data pre-processing. The third-party service gets overloaded and fails the p re-processing, causing a loss of data. A solutions architect must improve the resiliency o f the solution. The solutions architect must ensure that no data is lost and that data can be pr ocessed later if failures occur. What should the solutions architect do to meet thes e requirements?", "options": [ "A. Create an Amazon Simple Queue Service (Amazon SQS ) queue. Configure the queue as the", "B. Create two Amazon Simple Queue Service (Amazon SQ S) queues: a primary queue and a", "C. Create two Amazon EventBridge event buses: a prim ary event bus and a secondary event", "D. Create a custom Amazon EventBridge event bus. Con figure the event bus as the failure" ], "correct": "B. Create two Amazon Simple Queue Service (Amazon SQ S) queues: a primary queue and a", "explanation": "Explanation/Reference: Community vote distribution B (93%) 7%", "references": "" }, { "question": "Topic 1 A company built an ecommerce website on AWS using a three-tier web architecture. The application is Java-based and composed of an Amazon CloudFront distribution, an Apache web server layer of Amazon EC2 instances in an Auto Sca ling group, and a backend Amazon Aurora MySQL database. Last month, during a promotional sales event, users reported errors and timeouts while adding items to their shopping carts. The operations team recovered the logs created by the web servers and reviewed Aurora DB cluster performance metrics. Some of the web servers were terminated before logs could be collected and the Aurora metri cs were not sufficient for query performance analysis. Which combination of steps must the solutions archi tect take to improve application performance visibility during peak traffic events? (Choose thre e.)", "options": [ "A. Configure the Aurora MySQL DB cluster to publish slow query and error logs to Amazon", "C. Configure the Aurora MySQL DB cluster to stream s low query and error logs to Amazon", "D. Install and configure an Amazon CloudWatch Logs a gent on the EC2 instances to send the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ABD (100%)", "references": "" }, { "question": "Topic 1 A company that provisions job boards for a seasonal workforce is seeing an increase in traffic and usage. The backend services run on a pair of Amazon EC2 instances behind an Application Load Balancer with Amazon DynamoDB as the datastore. App lication read and write traffic is slow during peak seasons. Which option provides a scalable application archit ecture to handle peak seasons with the LEAST development effort?", "options": [ "A. Migrate the backend services to AWS Lambda. Incre ase the read and write capacity of", "B. Migrate the backend services to AWS Lambda. Confi gure DynamoDB to use global tables.", "C. Use Auto Scaling groups for the backend services. Use DynamoDB auto scaling.", "D. Use Auto Scaling groups for the backend services. Use Amazon Simple Queue Service" ], "correct": "B. Migrate the backend services to AWS Lambda. Confi gure DynamoDB to use global tables.", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is migrating to the cloud. It wants to ev aluate the configurations of virtual machines in its existing data center environment to ensure that it can size new Amazon EC2 instances accurately. The company wants to collect metrics, s uch as CPU, memory, and disk utilization, and it needs an inventory of what processes are running on each instance. The company would also like to monitor network connections to map communic ations between servers. Which would enable the collection of this data MOST cost effectively?", "options": [ "A. Use AWS Application Discovery Service and deploy the data collection agent to each virtual", "B. Configure the Amazon CloudWatch agent on all serv ers within the local environment and", "C. Use AWS Application Discovery Service and enable agentless discovery in the existing", "D. Enable AWS Application Discovery Service in the A WS Management Console and configure" ], "correct": "D. Enable AWS Application Discovery Service in the A WS Management Console and configure", "explanation": "Explanation/Reference: Community vote distribution A (92%) 4%", "references": "" }, { "question": "Topic 1 A company provides a software as a service (SaaS) a pplication that runs in the AWS Cloud. The application runs on Amazon EC2 instances behind a N etwork Load Balancer (NLB). The instances are in an Auto Scaling group and are distributed ac ross three Availability Zones in a single AWS Region. The company is deploying the application into addit ional Regions. The company must provide static IP addresses for the application to customer s so that the customers can add the IP addresses to allow lists. The solution must automat ically route customers to the Region that is geographically closest to them. Which solution will meet these requirements?", "options": [ "A. Create an Amazon CloudFront distribution. Create a CloudFront origin group. Add the NLB", "B. Create an AWS Global Accelerator standard acceler ator. Create a standard accelerator", "C. Create an Amazon CloudFront distribution. Create a custom origin for the NLB in each", "D. Create an AWS Global Accelerator custom routing a ccelerator. Create a listener for the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (90%) 10%", "references": "" }, { "question": "Topic 1 A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organiza tions and federation with SAML to give permissions to developers to manage resources in th eir AWS accounts. The development units each deploy their production workloads into a commo n production account. Recently, an incident occurred in the production ac count in which members of a development unit terminated an EC2 instance that belonged to a diffe rent development unit. A solutions architect must create a solution that prevents a similar inci dent from happening in the future. The solution also must allow developers the possibility to manag e the instances used for their workloads. Which strategy will meet these requirements?", "options": [ "A. Create separate OUs in AWS Organizations for each development unit. Assign the created", "B. Pass an attribute for DevelopmentUnit as an AWS S ecurity Token Service (AWS STS)", "C. Pass an attribute for DevelopmentUnit as an AWS S ecurity Token Service (AWS STS)", "D. Create separate IAM policies for each development unit. For every IAM policy, add an allow" ], "correct": "B. Pass an attribute for DevelopmentUnit as an AWS S ecurity Token Service (AWS STS)", "explanation": "Explanation/Reference: Community vote distribution B (79%) A (21%)", "references": "" }, { "question": "Topic 1 An enterprise company is building an infrastructure services platform for its users. The company has the following requirements: \u00b7 Provide least privilege access to users when laun ching AWS infrastructure so users cannot provision unapproved services. \u00b7 Use a central account to manage the creation of i nfrastructure services. \u00b7 Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations. \u00b7 Provide the ability to enforce tags on any infras tructure that is started by users. Which combination of actions using AWS services wil l meet these requirements? (Choose three.)", "options": [ "A. Develop infrastructure services using AWS CloudFo rmation templates. Add the templates", "B. Develop infrastructure services using AWS CloudFo rmation templates. Upload each", "C. Allow user IAM roles to have AWSCloudFormationFul lAccess and", "D. Allow user IAM roles to have ServiceCatalogEndUse rAccess permissions only. Use an" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BDE (93%) 7%", "references": "" }, { "question": "Topic 1 A company deploys a new web application. As part of the setup, the company configures AWS WAF to log to Amazon S3 through Amazon Kinesis Data Firehose. The company develops an Amazon Athena query that runs once daily to return AWS WAF log data from the previous 24 hours. The volume of daily logs is constant. However, over time, the same query is taking more time to run. A solutions architect needs to design a solution to prevent the query time from continuing to increase. The solution must minimize operational ov erhead. Which solution will meet these requirements?", "options": [ "A. Create an AWS Lambda function that consolidates e ach day's AWS WAF logs into one log", "B. Reduce the amount of data scanned by configuring AWS WAF to send logs to a different S3", "C. Update the Kinesis Data Firehose configuration to partition the data in Amazon S3 by date", "D. Modify the Kinesis Data Firehose configuration an d Athena table definition to partition the" ], "correct": "D. Modify the Kinesis Data Firehose configuration an d Athena table definition to partition the", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company is developing a web application that runs on Amazon EC2 instances in an Auto Scaling group behind a public-facing Application Load Balan cer (ALB). Only users from a specific country are allowed to access the application. The company needs the ability to log the access requests that have been blocked. The solution should require the least possible maintenance. Which solution meets these requirements?", "options": [ "A. Create an IPSet containing a list of IP ranges th at belong to the specified country. Create", "B. Create an AWS WAF web ACL. Configure a rule to bl ock any requests that do not originate", "C. Configure AWS Shield to block any requests that d o not originate from the specified", "D. Create a security group rule that allows ports 80 and 443 from IP ranges that belong to the" ], "correct": "C. Configure AWS Shield to block any requests that d o not originate from the specified", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is migrating an application from on-premi ses infrastructure to the AWS Cloud. During migration design meetings, the company expressed co ncerns about the availability and recovery options for its legacy Windows file server. The fil e server contains sensitive business-critical data that cannot be recreated in the event of data corru ption or data loss. According to compliance requirements, the data must not travel across the p ublic internet. The company wants to move to AWS managed services where possible. The company decides to store the data in an Amazon FSx for Windows File Server file system. A solutions architect must design a solution that cop ies the data to another AWS Region for disaster recovery (DR) purposes. Which solution will meet these requirements?", "options": [ "A. Create a destination Amazon S3 bucket in the DR R egion. Establish connectivity between", "B. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity", "C. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity", "D. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity" ], "correct": "C. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity", "explanation": "Explanation/Reference: Community vote distribution C (84%) A (16%)", "references": "" }, { "question": "Topic 1 A company is currently in the design phase of an ap plication that will need an RPO of less than 5 minutes and an RTO of less than 10 minutes. The sol utions architecture team is forecasting that the database will store approximately 10 TB of data . As part of the design, they are looking for a database solution that will provide the company wit h the ability to fail over to a secondary Region. Which solution will meet these business requirement s at the LOWEST cost?", "options": [ "A. Deploy an Amazon Aurora DB cluster and take snaps hots of the cluster every 5 minutes.", "B. Deploy an Amazon RDS instance with a cross-Region read replica in a secondary Region. In", "C. Deploy an Amazon Aurora DB cluster in the primary Region and another in a secondary", "D. Deploy an Amazon RDS instance with a read replica in the same Region. In the event of a" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (86%) 14%", "references": "" }, { "question": "Topic 1 A financial company needs to create a separate AWS account for a new digital wallet application. The company uses AWS Organizations to manage its ac counts. A solutions architect uses the IAM user Support1 from the management account to create a new member account with finance1@example.com as the email address. What should the solutions architect do to create IA M users in the new member account?", "options": [ "A. Sign in to the AWS Management Console with AWS ac count root user credentials by using", "B. From the management account, switch roles to assu me the", "C. Go to the AWS Management Console sign-in page. Ch oose \"Sign in using root account", "D. Go to the AWS Management Console sign-in page. Si gn in by using the account ID of the" ], "correct": "A. Sign in to the AWS Management Console with AWS ac count root user credentials by using", "explanation": "Explanation/Reference: Community vote distribution B (81%) D (19%)", "references": "" }, { "question": "Topic 1 A car rental company has built a serverless REST AP I to provide data to its mobile app. The app consists of an Amazon API Gateway API with a Region al endpoint, AWS Lambda functions, and an Amazon Aurora MySQL Serverless DB cluster. The comp any recently opened the API to mobile apps of partners. A significant increase in the num ber of requests resulted, causing sporadic database memory errors. Analysis of the API traffic indicates that clients are making multiple HTTP GET requests for the same queries in a short period of time. Traffic is concentrated during business hours, with spikes around holidays and other events. The company needs to improve its ability to support the additional usage while minimizing the increase in costs associated with the solution. Which strategy meets these requirements?", "options": [ "A. Convert the API Gateway Regional endpoint to an e dge-optimized endpoint. Enable caching", "B. Implement an Amazon ElastiCache for Redis cache t o store the results of the database", "C. Modify the Aurora Serverless DB cluster configura tion to increase the maximum amount of", "D. Enable throttling in the API Gateway production s tage. Set the rate and burst values to limit" ], "correct": "C. Modify the Aurora Serverless DB cluster configura tion to increase the maximum amount of", "explanation": "Explanation/Reference: Community vote distribution A (61%) B (39%)", "references": "" }, { "question": "Topic 1 A company is migrating an on-premises application a nd a MySQL database to AWS. The application processes highly sensitive data, and ne w data is constantly updated in the database. The data must not be transferred over the internet. The company also must encrypt the data in transit and at rest. The database is 5 TB in size. The company already h as created the database schema in an Amazon RDS for MySQL DB instance. The company has s et up a 1 Gbps AWS Direct Connect connection to AWS. The company also has set up a pu blic VIF and a private VIF. A solutions architect needs to design a solution that will migr ate the data to AWS with the least possible downtime. Which solution will meet these requirements?", "options": [ "A. Perform a database backup. Copy the backup files to an AWS Snowball Edge Storage", "B. Use AWS Database Migration Service (AWS DMS) to m igrate the data to AWS. Create a", "C. Perform a database backup. Use AWS DataSync to tr ansfer the backup files to Amazon S3.", "D. Use Amazon S3 File Gateway. Set up a private conn ection to Amazon S3 by using AWS" ], "correct": "C. Perform a database backup. Use AWS DataSync to tr ansfer the backup files to Amazon S3.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 Accompany is deploying a new cluster for big data a nalytics on AWS. The cluster will run across many Linux Amazon EC2 instances that are spread acr oss multiple Availability Zones. All of the nodes in the cluster must have read and write access to common underlying file storage. The file storage must be highly available, must be resilient, must be compatible with the Portable Operating System Interface (POSIX), and must accomm odate high levels of throughput. Which storage solution will meet these requirements ?", "options": [ "A. Provision an AWS Storage Gateway file gateway NFS file share that is attached to an", "B. Provision a new Amazon Elastic File System (Amazo n EFS) file system that uses General", "C. Provision a new Amazon Elastic Block Store (Amazo n EBS) volume that uses the io2", "D. Provision a new Amazon Elastic File System (Amazo n EFS) file system that uses Max I/O" ], "correct": "D. Provision a new Amazon Elastic File System (Amazo n EFS) file system that uses Max I/O", "explanation": "Explanation/Reference: Community vote distribution D (67%) B (31%) 1%", "references": "" }, { "question": "Topic 1 A company hosts a software as a service (SaaS) solu tion on AWS. The solution has an Amazon API Gateway API that serves an HTTPS endpoint. The API uses AWS Lambda functions for compute. The Lambda functions store data in an Amaz on Aurora Serverless v1 database. The company used the AWS Serverless Application Mod el (AWS SAM) to deploy the solution. The solution extends across multiple Availability Zones and has no disaster recovery (DR) plan. A solutions architect must design a DR strategy tha t can recover the solution in another AWS Region. The solution has an RTO of 5 minutes and an RPO of 1 minute. What should the solutions architect do to meet thes e requirements? A. Create a read replica of the Aurora Serverless v1 database in the target Region. Use AWS \u00b7 SAM to create a runbook to deploy the solution to t he target Region. Promote the read replica to primary in case of disaster.", "options": [ "B. Change the Aurora Serverless v1 database to a sta ndard Aurora MySQL global database", "C. Create an Aurora Serverless v1 DB cluster that ha s multiple writer instances in the target", "D. Change the Aurora Serverless v1 database to a sta ndard Aurora MySQL global database" ], "correct": "B. Change the Aurora Serverless v1 database to a sta ndard Aurora MySQL global database", "explanation": "Explanation/Reference: Community vote distribution D (92%) 8%", "references": "" }, { "question": "Topic 1 A company owns a chain of travel agencies and is ru nning an application in the AWS Cloud. Company employees use the application to search for information about travel destinations. Destination content is updated four times each year . Two fixed Amazon EC2 instances serve the applicatio n. The company uses an Amazon Route 53 public hosted zone with a multivalue record of trav el.example.com that returns the Elastic IP addresses for the EC2 instances. The application us es Amazon DynamoDB as its primary data store. The company uses a self-hosted Redis instanc e as a caching solution. During content updates, the load on the EC2 instanc es and the caching solution increases drastically. This increased load has led to downtim e on several occasions. A solutions architect must update the application so that the application is highly available and can handle the load that is generated by the content updates. Which solution will meet these requirements?", "options": [ "A. Set up DynamoDB Accelerator (DAX) as in-memory ca che. Update the application to use", "B. Set up Amazon ElastiCache for Redis. Update the a pplication to use ElastiCache. Create an", "C. Set up Amazon ElastiCache for Memcached. Update t he application to use ElastiCache. \u00b7", "D. Set up DynamoDB Accelerator (DAX) as in-memory ca che. Update the application to use" ], "correct": "B. Set up Amazon ElastiCache for Redis. Update the a pplication to use ElastiCache. Create an", "explanation": "Explanation/Reference: Community vote distribution A (97%) 3%", "references": "" }, { "question": "Topic 1 A company needs to store and process image data tha t will be uploaded from mobile devices using a custom mobile app. Usage peaks between 8 AM and 5 PM on weekdays, with thousands of uploads per minute. The app is rarely used at any o ther time. A user is notified when image processing is complete. Which combination of actions should a solutions arc hitect take to ensure image processing can scale to handle the load? (Choose three.)", "options": [ "A. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to", "B. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to", "C. Invoke an AWS Lambda function to perform image pr ocessing when a message is available", "D. Invoke an S3 Batch Operations job to perform imag e processing when a message is", "A. Configure and set up an AWS Client VPN endpoint. Associate the Client VPN endpoint with", "B. Create a transit gateway, and connect it to the V PC. Create an AWS Site-to-Site VPN.", "C. Create a transit gateway, and connect it to the V POrder an AWS Direct Connect connection.", "D. Create and configure a bastion host in a public s ubnet of the VPC. Configure the bastion" ], "correct": "D. Create and configure a bastion host in a public s ubnet of the VPC. Configure the bastion", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate its website from an on-p remises data center onto AWS. At the same time, it wants to migrate the website to a containe rized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege. A solutions architect must create a containerized a rchitecture that meets the security requirements and has deployed the application to an Amazon ECS cluster. What steps are required after the deployment to mee t the requirements? (Choose two.)", "options": [ "A. Create tasks using the bridge network mode.", "B. Create tasks using the awsvpc network mode.", "C. Apply security groups to Amazon EC2 instances, an d use IAM roles for EC2 instances to", "D. Apply security groups to the tasks, and pass IAM credentials into the container at launch" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (100%)", "references": "" }, { "question": "Topic 1 A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster. T he Neptune DB cluster is located in three subnets in a VPC. Which of the possible solutions will allow the Lamb da functions to access the Neptune DB cluster and DynamoDB tables? (Choose two.)", "options": [ "A. Create three public subnets in the Neptune VPC, a nd route traffic through an internet", "B. Create three private subnets in the Neptune VPC, and route internet traffic through a NAT", "C. Host the Lambda functions outside the VPUpdate th e Neptune security group to allow", "D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (90%) 5%", "references": "" }, { "question": "Topic 1 A company wants to design a disaster recovery (DR) solution for an application that runs in the company's data center. The application writes to an SMB file share and creates a copy on a second file share. Both file shares are in the data center . The application uses two types of files: metadata files and image files. The company wants to store the copy on AWS. The com pany needs the ability to use SMB to access the data from either the data center or AWS if a disaster occurs. The copy of the data is rarely accessed but must be available within 5 minu tes. A. Deploy AWS Outposts with Amazon S3 storage. Confi gure a Windows Amazon EC2 \u00b7 instance on Outposts as a file server.", "options": [ "B. Deploy an Amazon FSx File Gateway. Configure an A mazon FSx for Windows File Server", "C. Deploy an Amazon S3 File Gateway. Configure the S 3 File Gateway to use Amazon S3", "D. Deploy an Amazon S3 File Gateway. Configure the S 3 File Gateway to use Amazon S3" ], "correct": "D. Deploy an Amazon S3 File Gateway. Configure the S 3 File Gateway to use Amazon S3", "explanation": "Explanation/Reference: Community vote distribution D (71%) B (29%)", "references": "" }, { "question": "Topic 1 A company is creating a solution that can move 400 employees into a remote working environment in the event of an unexpected disaster. The user de sktops have a mix of Windows and Linux operating systems. Multiple types of software, such as web browsers and mail clients, are installed on each desktop. A solutions architect needs to implement a solution that can be integrated with the company's on- premises Active Directory to allow employees to use their existing identity credentials. The solution must provide multifactor authentication (M FA) and must replicate the user experience from the existing desktops. Which solution will meet these requirements?", "options": [ "A. Use Amazon WorkSpaces for the cloud desktop servi ce. Set up a VPN connection to the", "B. Use Amazon AppStream 2.0 as an application stream ing service. Configure Desktop View", "C. Use Amazon WorkSpaces for the cloud desktop servi ce. Set up a VPN connection to the", "D. Use Amazon AppStream 2.0 as an application stream ing service. Set up Active Directory" ], "correct": "C. Use Amazon WorkSpaces for the cloud desktop servi ce. Set up a VPN connection to the", "explanation": "Explanation Explanation/Reference: Community vote distribution C (83%) Other", "references": "" }, { "question": "Topic 1 A company has deployed an Amazon Connect contact ce nter. Contact center agents are reporting large numbers of computer-generated calls. The comp any is concerned about the cost and productivity effects of these calls. The company wa nts a solution that will allow agents to flag the call as spam and automatically block the numbers fr om going to an agent in the future. What is the MOST operationally efficient solution t o meet these requirements?", "options": [ "A. Customize the Contact Control Panel (CCP) by addi ng a flag call button that will invoke an", "B. Use a Contact Lens for Amazon Connect rule that w ill look for spam calls. Use an Amazon", "C. Use an Amazon DynamoDB table to store the spam nu mbers. Create a quick connect that", "D. Modify the initial contact flow to ask for caller input. If the agent does not receive input," ], "correct": "B. Use a Contact Lens for Amazon Connect rule that w ill look for spam calls. Use an Amazon", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A company has mounted sensors to collect informatio n about environmental parameters such as humidity and light throughout all the company's fac tories. The company needs to stream and analyze the data in the AWS Cloud in real time. If any of the parameters fall out of acceptable ranges, the factory operations team must receive a notification immediately. Which solution will meet these requirements?", "options": [ "A. Stream the data to an Amazon Kinesis Data Firehos e delivery stream. Use AWS Step", "B. Stream the data to an Amazon Managed Streaming fo r Apache Kafka (Amazon MSK)", "C. Stream the data to an Amazon Kinesis data stream. Create an AWS Lambda function to", "D. Stream the data to an Amazon Kinesis Data Analyti cs application. Use an automatically" ], "correct": "B. Stream the data to an Amazon Managed Streaming fo r Apache Kafka (Amazon MSK)", "explanation": "Explanation/Reference: Community vote distribution C (93%) 7%", "references": "" }, { "question": "Topic 1 A company is preparing to deploy an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for a workload. The company expects the cluster to supp ort an unpredictable number of stateless pods. Many of the pods will be created during a sho rt time period as the workload automatically scales the number of replicas that the workload use s. Which solution will MAXIMIZE node resilience?", "options": [ "A. Use a separate launch template to deploy the EKS control plane into a second cluster that", "B. Update the workload node groups. Use a smaller nu mber of node groups and larger", "C. Configure the Kubernetes Cluster Autoscaler to en sure that the compute capacity of the", "D. Configure the workload to use topology spread con straints that are based on Availability" ], "correct": "D. Configure the workload to use topology spread con straints that are based on Availability", "explanation": "Explanation/Reference: Community vote distribution D (89%) 11%", "references": "" }, { "question": "Topic 1 A company needs to implement a disaster recovery (D R) plan for a web application. The application runs in a single AWS Region. The application uses microservices that run in cont ainers. The containers are hosted on AWS Fargate in Amazon Elastic Container Service (Amazon ECS). The application has an Amazon RDS for MySQL DB instance as its data layer and uses Am azon Route 53 for DNS resolution. An Amazon CloudWatch alarm invokes an Amazon EventBrid ge rule if the application experiences a failure. A solutions architect must design a DR solution to provide application recovery to a separate Region. The solution must minimize the time that is necessary to recover from a failure. Which solution will meet these requirements?", "options": [ "A. Setup a second ECS cluster and ECS service on Far gate in the separate Region. Create an", "B. Create an AWS Lambda function that creates a seco nd ECS cluster and ECS service in the", "C. Setup a second ECS cluster and ECS service on Far gate in the separate Region. Create a", "D. Setup a second ECS cluster and ECS service on Far gate in the separate Region. Take a" ], "correct": "A. Setup a second ECS cluster and ECS service on Far gate in the separate Region. Create an", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has AWS accounts that are in an organizat ion in AWS Organizations. The company wants to track Amazon EC2 usage as a metric. The co mpany's architecture team must receive a daily alert if the EC2 usage is more than 10% highe r the average EC2 usage from the last 30 days. Which solution will meet these requirements?", "options": [ "A. Configure AWS Budgets in the organization's manag ement account. Specify a usage type", "B. Configure AWS Cost Anomaly Detection in the organ ization's management account.", "C. Enable AWS Trusted Advisor in the organization's management account. Configure a cost", "D. Configure Amazon Detective in the organization's management account. Configure an EC2" ], "correct": "C. Enable AWS Trusted Advisor in the organization's management account. Configure a cost", "explanation": "Explanation/Reference: Community vote distribution A (68%) B (32%)", "references": "" }, { "question": "Topic 1 An e-commerce company is revamping its IT infrastru cture and is planning to use AWS services. The company's CIO has asked a solutions architect t o design a simple, highly available, and loosely coupled order processing application. The applicati on is responsible for receiving and processing orders before storing them in an Amazon DynamoDB ta ble. The application has a sporadic traffic pattern and should be able to scale during marketin g campaigns to process the orders with minimal delays. Which of the following is the MOST reliable approac h to meet the requirements?", "options": [ "A. Receive the orders in an Amazon EC2-hosted databa se and use EC2 instances to process", "B. Receive the orders in an Amazon SQS queue and inv oke an AWS Lambda function to", "C. Receive the orders using the AWS Step Functions p rogram and launch an Amazon ECS", "D. Receive the orders in Amazon Kinesis Data Streams and use Amazon EC2 instances to" ], "correct": "C. Receive the orders using the AWS Step Functions p rogram and launch an Amazon ECS", "explanation": "Explanation/Reference: Community vote distribution B (78%) C (22%)", "references": "" }, { "question": "Topic 1 A company is deploying AWS Lambda functions that ac cess an Amazon RDS for PostgreSQL database. The company needs to launch the Lambda fu nctions in a QA environment and in a production environment. The company must not expose credentials within appl ication code and must rotate passwords automatically. Which solution will meet these requirements?", "options": [ "A. Store the database credentials for both environme nts in AWS Systems Manager Parameter", "B. Store the database credentials for both environme nts in AWS Secrets Manager with", "C. Store the database credentials for both environme nts in AWS Key Management Service", "D. Create separate S3 buckets for the QA environment and the production environment. Turn" ], "correct": "A. Store the database credentials for both environme nts in AWS Systems Manager Parameter", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is using AWS Control Tower to manage AWS accounts in an organization in AWS Organizations. The company has an OU that contains accounts. The company must prevent any new or existing Amazon EC2 instances in the OU's ac counts from gaining a public IP address. Which solution will meet these requirements?", "options": [ "A. Configure all instances in each account in the OU to use AWS Systems Manager. Use a", "B. Implement the AWS Control Tower proactive control to check whether instances in the", "C. Create an SCP that prevents the launch of instanc es that have a public IP address.", "D. Create an AWS Config custom rule that detects ins tances that have a public IP address." ], "correct": "D. Create an AWS Config custom rule that detects ins tances that have a public IP address.", "explanation": "Explanation/Reference: Community vote distribution C (73%) B (27%)", "references": "" }, { "question": "Topic 1 A company is deploying a third-party web applicatio n on AWS. The application is packaged as a Docker image. The company has deployed the Docker i mage as an AWS Fargate service in Amazon Elastic Container Service (Amazon ECS). An Applicat ion Load Balancer (ALB) directs traffic to the application. The company needs to give only a specific list of u sers the ability to access the application from the internet. The company cannot change the applica tion and cannot integrate the application with an identity provider. All users must be authenticat ed through multi-factor authentication (MFA). Which solution will meet these requirements?", "options": [ "A. Create a user pool in Amazon Cognito. Configure t he pool for the application. Populate the", "B. Configure the users in AWS Identity and Access Ma nagement (IAM). Attach a resource", "C. Configure the users in AWS Identity and Access Ma nagement (IAM). Enable AWS IAM", "D. Create a user pool in AWS Amplify. Configure the pool for the application. Populate the" ], "correct": "A. Create a user pool in Amazon Cognito. Configure t he pool for the application. Populate the", "explanation": "Explanation/Reference: Community vote distribution A (92%) 8%", "references": "" }, { "question": "Topic 1 A solutions architect is preparing to deploy a new security tool into several previously unused AWS Regions. The solutions architect will deploy the to ol by using an AWS CloudFormation stack set. The stack set's template contains an IAM role that has a custom name. Upon creation of the stack set, no stack instances are created successfully. What should the solutions architect do to deploy th e stacks successfully?", "options": [ "A. Enable the new Regions in all relevant accounts. Specify the CAPABILITY_NAMED_IAM", "B. Use the Service Quotas console to request a quota increase for the number of", "C. Specify the CAPABILITY_NAMED_IAM capability and t he SELF_MANAGED permissions", "D. Specify an administration role ARN and the CAPABI LITY_IAM capability during the creation" ], "correct": "C. Specify the CAPABILITY_NAMED_IAM capability and t he SELF_MANAGED permissions", "explanation": "Explanation/Reference: Community vote distribution A (93%) 7%", "references": "" }, { "question": "Topic 1 A company has an application that uses an Amazon Au rora PostgreSQL DB cluster for the application's database. The DB cluster contains one small primary instance and three larger replica instances. The application runs on an AWS Lambda fu nction. The application makes many short- lived connections to the database's replica instanc es to perform read-only operations. During periods of high traffic, the application bec omes unreliable and the database reports that too many connections are being established. The frequen cy of high-traffic periods is unpredictable. Which solution will improve the reliability of the application?", "options": [ "A. Use Amazon RDS Proxy to create a proxy for the DB cluster. Configure a read-only endpoint", "B. Increase the max_connections setting on the DB cl uster's parameter group. Reboot all the", "C. Configure instance scaling for the DB cluster to occur when the DatabaseConnections", "D. Use Amazon RDS Proxy to create a proxy for the DB cluster. Configure a read-only endpoint" ], "correct": "C. Configure instance scaling for the DB cluster to occur when the DatabaseConnections", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A retail company is mounting IoT sensors in all of its stores worldwide. During the manufacturing of each sensor, the company's private certificate a uthority (CA) issues an X.509 certificate that contains a unique serial number. The company then d eploys each certificate to its respective sensor. A solutions architect needs to give the sensors the ability to send data to AWS after they are installed. Sensors must not be able to send data to AWS until they are installed. Which solution will meet these requirements?", "options": [ "A. Create an AWS Lambda function that can validate t he serial number. Create an AWS IoT", "B. Create an AWS Step Functions state machine that c an validate the serial number. Create", "C. Create an AWS Lambda function that can validate t he serial number. Create an AWS IoT", "D. Create an AWS IoT Core provisioning template. Inc lude the SerialNumber parameter in the" ], "correct": "C. Create an AWS Lambda function that can validate t he serial number. Create an AWS IoT", "explanation": "Explanation/Reference: Community vote distribution C (88%) 13%", "references": "" }, { "question": "Topic 1 A startup company recently migrated a large ecommer ce website to AWS. The website has experienced a 70% increase in sales. Software engin eers are using a private GitHub repository to manage code. The DevOps team is using Jenkins for b uilds and unit testing. The engineers need to receive notifications for bad builds and zero downt ime during deployments. The engineers also need to ensure any changes to production are seamle ss for users and can be rolled back in the event of a major issue. The software engineers have decided to use AWS Code Pipeline to manage their build and deployment process. Which solution will meet these requirements? A. Use GitHub websockets to trigger the CodePipeline pipeline. Use the Jenkins plugin for \u00b7 AWS CodeBuild to conduct unit testing. Send alerts to an Amazon SNS topic for any bad builds. Deploy in an in-place, all-at-once deployme nt configuration using AWS CodeDeploy.", "options": [ "B. Use GitHub webhooks to trigger the CodePipeline p ipeline. Use the Jenkins plugin for AWS", "C. Use GitHub websockets to trigger the CodePipeline pipeline. Use AWS X-Ray for unit", "D. Use GitHub webhooks to trigger the CodePipeline p ipeline. Use AWS X-Ray for unit testing" ], "correct": "B. Use GitHub webhooks to trigger the CodePipeline p ipeline. Use the Jenkins plugin for AWS", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A software as a service (SaaS) company has develope d a multi-tenant environment. The company uses Amazon DynamoDB tables that the tenants share for the storage layer. The company uses AWS Lambda functions for the application services. The company wants to offer a tiered subscription mo del that is based on resource consumption by each tenant. Each tenant is identified by a unique tenant ID that is sent as part of each request to the Lambda functions. The company has created an AW S Cost and Usage Report (AWS CUR) in an AWS account. The company wants to allocate the Dyna moDB costs to each tenant to match that tenant's resource consumption. Which solution will provide a granular view of the DynamoDB cost for each tenant with the LEAST operational effort?", "options": [ "A. Associate a new tag that is named tenant ID with each table in DynamoDB. Activate the tag", "B. Configure the Lambda functions to log the tenant ID and the number of RCUs and WCUs", "C. Create a new partition key that associates Dynamo DB items with individual tenants. Deploy", "D. Deploy a Lambda function to log the tenant ID, th e size of each response, and the duration \u00b7" ], "correct": "A. Associate a new tag that is named tenant ID with each table in DynamoDB. Activate the tag", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has an application that stores data in a single Amazon S3 bucket. The company must keep all data for 1 year. The company's security te am is concerned that an attacker could gain access to the AWS account through leaked long-term credentials. Which solution will ensure that existing and future objects in the S3 bucket are protected?", "options": [ "A. Create a new AWS account that is accessible only to the security team through an", "B. Use the s3-bucket-versioning-enabled AWS Config m anaged rule. Configure an automatic", "C. Explicitly deny bucket creation from all users an d roles except for an AWS Service Catalog", "D. Enable Amazon GuardDuty with the S3 protection fe ature for the account and the AWS" ], "correct": "D. Enable Amazon GuardDuty with the S3 protection fe ature for the account and the AWS", "explanation": "Explanation/Reference: Community vote distribution A (75%) D (25%)", "references": "" }, { "question": "Topic 1 A company needs to improve the security of its web- based application on AWS. The application uses Amazon CloudFront with two custom origins. The first custom origin routes requests to an Amazon API Gateway HTTP API. The second custom orig in routes traffic to an Application Load Balancer (ALB). The application integrates with an OpenID Connect (OIDC) identity provider (IdP) for user management. A security audit shows that a JSON Web Token (JWT) authorizer provides access to the API. The security audit also shows that the ALB accepts requ ests from unauthenticated users. A solutions architect must design a solution to ens ure that all backend services respond to only authenticated users. Which solution will meet this requirement?", "options": [ "A. Configure the ALB to enforce authentication and a uthorization by integrating the ALB with", "B. Modify the CloudFront configuration to use signed URLs. Implement a permissive signing", "C. Create an AWS WAF web ACL that filters out unauth enticated requests at the ALB level.", "D. Enable AWS CloudTrail to log all requests that co me to the ALB. Create an AWS Lambda" ], "correct": "D. Enable AWS CloudTrail to log all requests that co me to the ALB. Create an AWS Lambda", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company creates an AWS Control Tower landing zone to manage and govern a multi-account AWS environment. The company's security team will d eploy preventive controls and detective controls to monitor AWS services across all the acc ounts. The security team needs a centralized view of the security state of all the accounts. Which solution will meet these requirements?", "options": [ "A. From the AWS Control Tower management account, us e AWS CloudFormation StackSets to", "B. Enable Amazon Detective for the organization in A WS Organizations. Designate one AWS", "C. From the AWS Control Tower management account, de ploy an AWS CloudFormation stack", "D. Enable AWS Security Hub for the organization in A WS Organizations. Designate one AWS", "A. Deploy an AWS DataSync agent and configure a task to transfer the images to the S3", "B. Configure Amazon Kinesis Data Firehose to transfe r the images using S3 Transfer", "C. Use an AWS Snowball device to transfer the images with the S3 bucket as the target.", "D. Transfer the images over a Site-to-Site VPN conne ction using the S3 API with multipart" ], "correct": "A. Deploy an AWS DataSync agent and configure a task to transfer the images to the S3", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 A company has a web application that uses Amazon AP I Gateway. AWS Lambda, and Amazon DynamoDB. A recent marketing campaign has increased demand. Monitoring software reports that many requests have significantly longer response ti mes than before the marketing campaign. A solutions architect enabled Amazon CloudWatch Log s for API Gateway and noticed that errors are occurring on 20% of the requests. In CloudWatch , the Lambda function Throttles metric represents 1% of the requests and the Errors metric represents 10% of the requests. Application logs indicate that, when errors occur, there is a c all to DynamoDB. What change should the solutions architect make to improve the current response times as the web application becomes more popular?", "options": [ "A. Increase the concurrency limit of the Lambda func tion.", "B. Implement DynamoDB auto scaling on the table.", "C. Increase the API Gateway throttle limit.", "D. Re-create the DynamoDB table with a better-partit ioned primary index." ], "correct": "B. Implement DynamoDB auto scaling on the table.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has an application that has a web fronten d. The application runs in the company's on- premises data center and requires access to file st orage for critical data. The application runs on three Linux VMs for redundancy. The architecture in cludes a load balancer with HTTP request- based routing. The company needs to migrate the application to AWS as quickly as possible. The architecture on AWS must be highly available. Which solution will meet these requirements with th e FEWEST changes to the architecture?", "options": [ "A. Migrate the application to Amazon Elastic Contain er Service (Amazon ECS) containers that", "B. Migrate the application to Amazon EC2 instances i n three Availability Zones. Use Amazon", "C. Migrate the application to Amazon Elastic Kuberne tes Service (Amazon EKS) containers", "D. Migrate the application to Amazon EC2 instances i n three AWS Regions. Use Amazon" ], "correct": "B. Migrate the application to Amazon EC2 instances i n three Availability Zones. Use Amazon", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate an on-premises dat a center to AWS. The company currently hosts the data center on Linux-based VMware VMs. A solutions architect must collect information about network dependencies between the VMs. The inf ormation must be in the form of a diagram that details host IP addresses, hostnames, and netw ork connection information. Which solution will meet these requirements?", "options": [ "A. Use AWS Application Discovery Service. Select an AWS Migration Hub home AWS Region.", "B. Use the AWS Application Discovery Service Agentle ss Collector for server data collection.", "C. Install the AWS Application Migration Service age nt on the on-premises servers for data", "D. Install the AWS Application Migration Service age nt on the on-premises servers for data" ], "correct": "D. Install the AWS Application Migration Service age nt on the on-premises servers for data", "explanation": "Explanation/Reference: Community vote distribution A (89%) 11%", "references": "" }, { "question": "Topic 1 A company runs a software-as-a-service (SaaS) appli cation on AWS. The application consists of AWS Lambda functions and an Amazon RDS for MySQL Mu lti-AZ database. During market events, the application has a much higher workload than nor mal. Users notice slow response times during the peak periods because of many database connectio ns. The company needs to improve the scalable performance and availability of the databa se. Which solution meets these requirements?", "options": [ "A. Create an Amazon CloudWatch alarm action that tri ggers a Lambda function to add an", "B. Migrate the database to Amazon Aurora, and add a read replica. Add a database", "C. Migrate the database to Amazon Aurora, and add a read replica. Use Amazon Route 53", "D. Migrate the database to Amazon Aurora, and add an Aurora Replica. Configure Amazon" ], "correct": "D. Migrate the database to Amazon Aurora, and add an Aurora Replica. Configure Amazon", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company is planning to migrate an application fro m on premises to the AWS Cloud. The company will begin the migration by moving the appl ication's underlying data storage to AWS. The application data is stored on a shared file system on premises, and the application servers connect to the shared file system through SMB. A solutions architect must implement a solution tha t uses an Amazon S3 bucket for shared storage. Until the application is fully migrated an d code is rewritten to use native Amazon S3 APIs, the application must continue to have access to the data through SMB. The solutions architect must migrate the application data to AWS to its new location while still allowing the on-premises application to access the data. Which solution will meet these requirements?", "options": [ "A. Create a new Amazon FSx for Windows File Server f ile system. Configure AWS DataSync", "B. Create an S3 bucket for the application. Copy the data from the on-premises storage to the", "C. Deploy an AWS Server Migration Service (AWS SMS) VM to the on-premises environment.", "D. Create an S3 bucket for the application. Deploy a new AWS Storage Gateway file gateway" ], "correct": "A. Create a new Amazon FSx for Windows File Server f ile system. Configure AWS DataSync", "explanation": "Explanation/Reference: Community vote distribution D (92%) 8%", "references": "" }, { "question": "Topic 1 A global company has a mobile app that displays tic ket barcodes. Customers use the tickets on the mobile app to attend live events. Event scanner s read the ticket barcodes and call a backend API to validate the barcode data against data in a database. After the barcode is scanned, the backend logic writes to the database's single table to mark the barcode as used. The company needs to deploy the app on AWS with a D NS name of api.example.com. The company will host the database in three AWS Regions around the world. Which solution will meet these requirements with th e LOWEST latency?", "options": [ "A. Host the database on Amazon Aurora global databas e clusters. Host the backend on three", "B. Host the database on Amazon Aurora global databas e clusters. Host the backend on three", "D. Host the database on Amazon DynamoDB global table s. Create an Amazon CloudFront" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A medical company is running a REST API on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB runs in three public subnets, and the EC2 instances run in three private subnets. The company has deployed an Amazon CloudFront distribution that has the ALB as the only origin. Which solution should a solutions architect recomme nd to enhance the origin security?", "options": [ "A. Store a random string in AWS Secrets Manager. Cre ate an AWS Lambda function for", "B. Create an AWS WAF web ACL rule with an IP match c ondition of the CloudFront service IP", "C. Store a random string in AWS Systems Manager Para meter Store. Configure Parameter", "D. Configure AWS Shield Advanced Create a security g roup policy to allow connections from" ], "correct": "B. Create an AWS WAF web ACL rule with an IP match c ondition of the CloudFront service IP", "explanation": "Explanation/Reference: Community vote distribution A (100%)", "references": "" }, { "question": "Topic 1 To abide by industry regulations, a solutions archi tect must design a solution that will store a company's critical data in multiple public AWS Regi ons, including in the United States, where the company's headquarters is located. The solutions ar chitect is required to provide access to the data stored in AWS to the company's global WAN netw ork. The security team mandates that no traffic accessing this data should traverse the pub lic internet. How should the solutions architect design a highly available solution that meets the requirements and is cost-effective?", "options": [ "A. Establish AWS Direct Connect connections from the company headquarters to all AWS", "B. Establish two AWS Direct Connect connections from the company headquarters to an AWS", "C. Establish two AWS Direct Connect connections from the company headquarters to an AWS", "D. Establish two AWS Direct Connect connections from the company headquarters to an AWS" ], "correct": "D. Establish two AWS Direct Connect connections from the company headquarters to an AWS", "explanation": "Explanation/Reference: Community vote distribution D (80%) C (20%)", "references": "" }, { "question": "Topic 1 A company has developed an application that is runn ing Windows Server on VMware vSphere VMs that the company hosts on premises. The application data is stored in a proprietary format that must be read through the application. The company m anually provisioned the servers and the application. As part of its disaster recovery plan, the company wants the ability to host its application on AWS temporarily if the company's on-premises environmen t becomes unavailable. The company wants the application to return to on-premises hosting af ter a disaster recovery event is complete. The RPO is 5 minutes. Which solution meets these requirements with the LE AST amount of operational overhead?", "options": [ "A. Configure AWS DataSync. Replicate the data to Ama zon Elastic Block Store (Amazon EBS)", "B. Configure AWS Elastic Disaster Recovery. Replicat e the data to replication Amazon EC2", "C. Provision an AWS Storage Gateway file gateway. Re plicate the data to an Amazon S3 \u00b7", "D. Provision an Amazon FSx for Windows File Server f ile system on AWS. Replicate the data" ], "correct": "B. Configure AWS Elastic Disaster Recovery. Replicat e the data to replication Amazon EC2", "explanation": "Explanation/Reference: Community vote distribution B (91%) 9%", "references": "" }, { "question": "Topic 1 A company runs a highly available data collection a pplication on Amazon EC2 in the eu-north-1 Region. The application collects data from end-user devices and writes records to an Amazon Kinesis data stream and a set of AWS Lambda functio ns that process the records. The company persists the output of the record processing to an Amazon S3 bucket in eu-north-1. The company uses the data in the S3 bucket as a data source for Amazon Athena. The company wants to increase its global presence. A solutions architect must launch the data collection capabilities in the sa-east-1 and ap-nor theast-1 Regions. The solutions architect deploys the application, the Kinesis data stream, and the L ambda functions in the two new Regions. The solutions architect keeps the S3 bucket in eu-north -1 to meet a requirement to centralize the data analysis. During testing of the new setup, the solutions arch itect notices a significant lag on the arrival of data from the new Regions to the S3 bucket. Which solution will improve this lag time the MOST?", "options": [ "A. In each of the two new Regions, set up the Lambda functions to run in a VPC. Set up an S3", "B. Turn on S3 Transfer Acceleration on the S3 bucket in eu-north-1. Change the application to", "C. Create an S3 bucket in each of the two new Region s. Set the application in each new", "D. Increase the memory requirements of the Lambda fu nctions to ensure that they have" ], "correct": "C. Create an S3 bucket in each of the two new Region s. Set the application in each new", "explanation": "Explanation/Reference: Community vote distribution C (66%) B (34%)", "references": "" }, { "question": "Topic 1 A company provides a centralized Amazon EC2 applica tion hosted in a single shared VPC. The centralized application must be accessible from cli ent applications running in the VPCs of other business units. The centralized application front e nd is configured with a Network Load Balancer (NLB) for scalability. Up to 10 business unit VPCs will need to be connect ed to the shared VPC. Some of the business unit VPC CIDR blocks overlap with the shared VPC, a nd some overlap with each other Network connectivity to the centralized application in the shared VPC should be allowed from authorized business unit VPCs only. Which network configuration should a solutions arch itect use to provide connectivity from the client applications in the business unit VPCs to th e centralized application in the shared VPC?", "options": [ "A. Create an AWS Transit Gateway. Attach the shared VPC and the authorized business unit", "B. Create a VPC endpoint service using the centraliz ed application NLB and enable the option", "C. Create a VPC peering connection from each busines s unit VPC to the shared VPAccept the", "D. Configure a virtual private gateway for the share d VPC and create customer gateways for" ], "correct": "A. Create an AWS Transit Gateway. Attach the shared VPC and the authorized business unit", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate its website to AWS. The website uses microservices and runs on containers that are deployed in an on-premises, sel f-managed Kubernetes cluster. All the manifests that define the deployments for the conta iners in the Kubernetes deployment are in source control. All data for the website is stored in a PostgreSQL database. An open source container image repository runs alongside the on-premises environme nt. A solutions architect needs to determine the archit ecture that the company will use for the website on AWS. Which solution will meet these requirements with th e LEAST effort to migrate?", "options": [ "A. Create an AWS App Runner service. Connect the App Runner service to the open source", "B. Create an Amazon Elastic Kubernetes Service (Amaz on EKS) cluster that has managed", "C. Create an Amazon Elastic Container Service (Amazo n ECS) cluster that has an Amazon", "D. Rebuild the on-premises Kubernetes cluster by hos ting the cluster on Amazon EC2" ], "correct": "D. Rebuild the on-premises Kubernetes cluster by hos ting the cluster on Amazon EC2", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company uses a mobile app on AWS to run online co ntests. The company selects a winner at random at the end of each contest. The contests run for variable lengths of time. The company does not need to retain any data from a contest aft er the contest is finished. The company uses custom code that is hosted on Amaz on EC2 instances to process the contest data and select a winner. The EC2 instances run beh ind an Application Load Balancer and store contest entries on Amazon RDS DB instances. The com pany must design a new architecture to reduce the cost of running the contests. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Migrate storage of the contest entries to Amazon DynamoDB. Create a DynamoDB", "B. Migrate the storage of the contest entries to Ama zon Redshift. Rewrite the code as AWS", "C. Add an Amazon ElastiCache for Redis cluster in fr ont of the RDS DB instances to cache the" ], "correct": "C. Add an Amazon ElastiCache for Redis cluster in fr ont of the RDS DB instances to cache the", "explanation": "Explanation/Reference: Community vote distribution D (63%) A (38%)", "references": "" }, { "question": "Topic 1 A company has implemented a new security requiremen t. According to the new requirement, the company must scan all traffic from corporate AWS in stances in the company's VPC for violations of the company's security policies. As a result of these scans, the company can block access to and from specific IP addresses. To meet the new requirement, the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies. The compan y installs approved proxy server software on these EC2 instances. The company modifies the route tables on all subnets to use the corresponding EC2 instances with proxy software as the default route. The company also creates security groups that are compliant with the securit y policies and assigns these security groups to the EC2 instances. Despite these configurations, the traffic of the EC 2 instances in their private subnets is not being properly forwarded to the internet. What should a solutions architect do to resolve thi s issue?", "options": [ "A. Disable source/destination checks on the EC2 inst ances that run the proxy software.", "B. Add a rule to the security group that is assigned to the proxy EC2 instances to allow all", "C. Change the VPCs DHCP options set. Set the DNS ser ver options to point to the addresses", "D. Assign one additional elastic network interface t o each proxy EC2 instance. Ensure that" ], "correct": "A. Disable source/destination checks on the EC2 inst ances that run the proxy software.", "explanation": "Explanation/Reference: Community vote distribution A (90%) 10%", "references": "" }, { "question": "Topic 1 A company is running its solution on AWS in a manua lly created VPC. The company is using AWS CloudFormation to provision other parts of the infr astructure. According to a new requirement, the company must manage all infrastructure in an automa tic way. What should the company do to meet this new require ment with the LEAST effort?", "options": [ "A. Create a new AWS Cloud Development Kit (AWS CDK) stack that strictly provisions the", "B. Create a CloudFormation stack set that creates th e VPC. Use the stack set to import the", "C. Create a new CloudFormation template that strictl y provisions the existing VPC resources", "D. Create a new CloudFormation template that creates the VPC. Use the AWS Serverless" ], "correct": "D. Create a new CloudFormation template that creates the VPC. Use the AWS Serverless", "explanation": "Explanation/Reference: Community vote distribution C (73%) B (23%) 5%", "references": "" }, { "question": "Topic 1 A company has developed a new release of a popular video game and wants to make it available for public download. The new release package is app roximately 5 GB in size. The company provides downloads for existing releases from a Lin ux-based, publicly facing FTP site hosted in an on-premises data center. The company expects the ne w release will be downloaded by users worldwide. The company wants a solution that provid es improved download performance and low transfer costs, regardless of a user's location.", "options": [ "A. Store the game files on Amazon EBS volumes mounte d on Amazon EC2 instances within", "B. Store the game files on Amazon EFS volumes that a re attached to Amazon EC2 instances", "C. Configure Amazon Route 53 and an Amazon S3 bucket for website hosting. Upload the", "D. Configure Amazon Route 53 and an Amazon S3 bucket for website hosting. Upload the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company runs an application in the cloud that con sists of a database and a website. Users can post data to the website, have the data processed, and have the data sent back to them in an email. Data is stored in a MySQL database running o n an Amazon EC2 instance. The database is running in a VPC with two private subnets. The webs ite is running on Apache Tomcat in a single EC2 instance in a different VPC with one public sub net. There is a single VPC peering connection between the database and website VPC. The website has suffered several outages during the last month due to high traffic. Which actions should a solutions architect take to increase the reliability of the application? (Choose three.)", "options": [ "A. Place the Tomcat server in an Auto Scaling group with multiple EC2 instances behind an", "B. Provision an additional VPC peering connection.", "C. Migrate the MySQL database to Amazon Aurora with one Aurora Replica.", "D. Provision two NAT gateways in the database VPC." ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (100%)", "references": "" }, { "question": "Topic 1 A retail company is operating its ecommerce applica tion on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer ( ALB). The company uses an Amazon RDS DB instance as the database backend. Amazon CloudFront is configured with one origin that points to the ALB. Static content is cached. Amazon Route 53 is used to host all public zones. After an update of the application, the ALB occasio nally returns a 502 status code (Bad Gateway) error. The root cause is malformed HTTP headers tha t are returned to the ALB. The webpage returns successfully when a solutions architect rel oads the webpage immediately after the error occurs. While the company is working on the problem, the so lutions architect needs to provide a custom error page instead of the standard ALB error page t o visitors. Which combination of steps will meet this requireme nt with the LEAST amount of operational overhead? (Choose two.)", "options": [ "A. Create an Amazon S3 bucket. Configure the S3 buck et to host a static webpage. Upload", "B. Create an Amazon CloudWatch alarm to invoke an AW S Lambda function if the ALB health", "C. Modify the existing Amazon Route 53 records by ad ding health checks. Configure a", "D. Create an Amazon CloudWatch alarm to invoke an AW S Lambda function if the ALB health" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AE (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate an Amazon Aurora MySQL D B cluster from an existing AWS account to a new AWS account in the same AWS Region. Both a ccounts are members of the same organization in AWS Organizations. The company must minimize database service interrup tion before the company performs DNS cutover to the new database. Which migration strategy will meet this requirement ? (Choose two.)", "options": [ "A. Take a snapshot of the existing Aurora database. Share the snapshot with the new AWS", "B. Create an Aurora DB cluster in the new AWS accoun t. Use AWS Database Migration Service", "C. Use AWS Backup to share an Aurora database backup from the existing AWS account to", "D. Create an Aurora DB cluster in the new AWS accoun t. Use AWS Application Migration" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AB (88%) 13%", "references": "" }, { "question": "Topic 1 A software as a service (SaaS) company provides a m edia software solution to customers. The solution is hosted on 50 VPCs across various AWS Re gions and AWS accounts. One of the VPCs is designated as a management VPC. The compute resourc es in the VPCs work independently. The company has developed a new feature that requir es all 50 VPCs to be able to communicate with each other. The new feature also requires one- way access from each customer's VPC to the company's management VPC. The management VPC hosts a compute resource that validates licenses for the media software solution. The number of VPCs that the company will use to hos t the solution will continue to increase as the solution grows. Which combination of steps will provide the require d VPC connectivity with the LEAST operational overhead? (Choose two.)", "options": [ "A. Create a transit gateway. Attach all the company' s VPCs and relevant subnets to the transit", "B. Create VPC peering connections between all the co mpany's VPCs.", "C. Create a Network Load Balancer (NLB) that points to the compute resource for license", "D. Create a VPN appliance in each customer's VPC. Co nnect the company's management VPC" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AC (71%) 14% 14%", "references": "" }, { "question": "Topic 1 A company has multiple lines of business (LOBs) tha t roll up to the parent company. The company has asked its solutions architect to develop a solu tion with the following requirements: \u00b7 Produce a single AWS invoice for all of the AWS a ccounts used by its LOBs. \u00b7 The costs for each LOB account should be broken o ut on the invoice. \u00b7 Provide the ability to restrict services and feat ures in the LOB accounts, as defined by the company's governance policy. \u00b7 Each LOB account should be delegated full adminis trator permissions, regardless of the governance policy. Which combination of steps should the solutions arc hitect take to meet these requirements? (Choose two.)", "options": [ "A. Use AWS Organizations to create an organization i n the parent account for each LOB. Then", "B. Use AWS Organizations to create a single organiza tion in the parent account. Then, invite", "C. Implement service quotas to define the services a nd features that are permitted and apply", "D. Create an SCP that allows only approved services and features, then apply the policy to the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (57%) BD (33%) 10%", "references": "" }, { "question": "Topic 1 A solutions architect has deployed a web applicatio n that serves users across two AWS Regions under a custom domain. The application uses Amazon Route 53 latency-based routing. The solutions architect has associated weighted record sets with a pair of web servers in separate Availability Zones for each Region. The solutions architect runs a disaster recovery sc enario. When all the web servers in one Region are stopped, Route 53 does not automatically redire ct users to the other Region. Which of the following are possible root causes of this issue? (Choose two.)", "options": [ "A. The weight for the Region where the web servers w ere stopped is higher than the weight", "B. One of the web servers in the secondary Region di d not pass its HTTP health check.", "C. Latency resource record sets cannot be used in co mbination with weighted resource", "D. The setting to evaluate target health is not turn ed on for the latency alias resource record" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution DE (100%)", "references": "" }, { "question": "Topic 1 A flood monitoring agency has deployed more than 10 ,000 water-level monitoring sensors. Sensors send continuous data updates, and each upda te is less than 1 MB in size. The agency has a fleet of on-premises application servers. These s ervers receive updates from the sensors, convert the raw data into a human readable format, and write the results to an on-premises relational database server. Data analysts then use simple SQL queries to monitor the data. The agency wants to increase overall application av ailability and reduce the effort that is required to perform maintenance tasks. These maintenance tas ks, which include updates and patches to the application servers, cause downtime. While an a pplication server is down, data is lost from sensors because the remaining servers cannot handle the entire workload. The agency wants a solution that optimizes operatio nal overhead and costs. A solutions architect recommends the use of AWS IoT Core to collect the s ensor data. What else should the solutions architect recommend to meet these requirements?", "options": [ "A. Send the sensor data to Amazon Kinesis Data Fireh ose. Use an AWS Lambda function to", "B. Send the sensor data to Amazon Kinesis Data Fireh ose. Use an AWS Lambda function to", "C. Send the sensor data to an Amazon Managed Service for Apache Flink (previously known", "D. Send the sensor data to an Amazon Managed Service for Apache Flink (previously known" ], "correct": "D. Send the sensor data to an Amazon Managed Service for Apache Flink (previously known", "explanation": "Explanation/Reference: Community vote distribution B (71%) 14% 14%", "references": "" }, { "question": "Topic 1 A public retail web application uses an Application Load Balancer (ALB) in front of Amazon EC2 instances running across multiple Availability Zone s (AZs) in a Region backed by an Amazon RDS MySQL Multi-AZ deployment. Target group health chec ks are configured to use HTTP and pointed at the product catalog page. Auto Scaling is config ured to maintain the web fleet size based on the ALB health check. Recently, the application experienced an outage. Au to Scaling continuously replaced the instances during the outage. A subsequent investigation deter mined that the web server metrics were within the normal range, but the database tier was experie ncing high load, resulting in severely elevated query response times. Which of the following changes together would remed iate these issues while improving monitoring capabilities for the availability and functionality of the entire application stack for future growth? (Choose two.)", "options": [ "A. Configure read replicas for Amazon RDS MySQL and use the single reader endpoint in the", "B. Configure the target group health check to point at a simple HTML page instead of a", "C. Configure the target group health check to use a TCP check of the Amazon EC2 web server", "D. Configure an Amazon CloudWatch alarm for Amazon R DS with an action to recover a high-" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (59%) AB (23%) Other", "references": "" }, { "question": "Topic 1 A company has an on-premises data center and is usi ng Kubernetes to develop a new solution on AWS. The company uses Amazon Elastic Kubernetes Ser vice (Amazon EKS) clusters for its development and test environments. The EKS control plane and data plane for production workloads must reside on premises. The company needs an AWS managed solution for Kubernete s management. Which solution will meet these requirements with th e LEAST operational overhead? A. Install an AWS Outposts server in the on-premises data center. Deploy Amazon EKS by \u00b7 using a local cluster configuration on the Outposts server for the production workloads.", "options": [ "B. Install Amazon EKS Anywhere on the company's hard ware in the on-premises data center.", "C. Install an AWS Outposts server in the on-premises data center. Deploy Amazon EKS by", "D. Install an AWS Outposts server in the on-premises data center. Install Amazon EKS" ], "correct": "B. Install Amazon EKS Anywhere on the company's hard ware in the on-premises data center.", "explanation": "Explanation/Reference: Community vote distribution A (63%) B (25%) 13%", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations to manage its deve lopment environment. Each development team at the company has its own AWS account. Each a ccount has a single VPC and CIDR blocks that do not overlap. The company has an Amazon Aurora DB cluster in a sh ared services account. All the development teams need to work with live data from the DB clust er. Which solution will provide the required connectivi ty to the DB cluster with the LEAST operational overhead?", "options": [ "A. Create an AWS Resource Access Manager (AWS RAM) r esource share for the DB cluster.", "B. Create a transit gateway in the shared services a ccount. Create an AWS Resource Access", "C. Create an Application Load Balancer (ALB) that po ints to the IP address of the DB cluster.", "D. Create an AWS Site-to-Site VPN connection in the shared services account. Configure" ], "correct": "A. Create an AWS Resource Access Manager (AWS RAM) r esource share for the DB cluster.", "explanation": "Explanation Explanation/Reference: Community vote distribution B (64%) A (32%) 5%", "references": "" }, { "question": "Topic 1 A company used AWS CloudFormation to create all new infrastructure in its AWS member accounts. The resources rarely change and are prope rly sized for the expected load. The monthly AWS bill is consistent. Occasionally, a developer creates a new resource fo r testing and forgets to remove the resource when the test is complete. Most of these tests last a few days before the resources are no longer needed. The company wants to automate the process of findin g unused resources. A solutions architect needs to design a solution that determines whether the cost in the AWS bill is increasing. The solution must help identify resources that cause an increase in cost and must automatically notify the company's operations team. Which solution will meet these requirements?", "options": [ "A. Turn on billing alerts. Use AWS Cost Explorer to determine the costs for the past month.", "B. Turn on billing alerts. Use AWS Cost Explorer to determine the average monthly costs for", "C. Use AWS Cost Anomaly Detection to create a cost m onitor that has a monitor type of", "D. Use AWS Cost Anomaly Detection to create a cost m onitor that has a monitor type of AWS" ], "correct": "A. Turn on billing alerts. Use AWS Cost Explorer to determine the costs for the past month.", "explanation": "Explanation/Reference: Community vote distribution D (69%) C (31%)", "references": "" }, { "question": "Topic 1 A company is deploying a new web-based application and needs a storage solution for the Linux application servers. The company wants to create a single location for updates to application data for all instances. The active dataset will be up to 100 GB in size. A solutions architect has determined that peak operations will occur for 3 ho urs daily and will require a total of 225 MiBps of read throughput. The solutions architect must design a Multi-AZ solu tion that makes a copy of the data available in another AWS Region for disaster recovery (DR). The DR copy has an RPO of less than 1 hour. Which solution will meet these requirements?", "options": [ "A. Deploy a new Amazon Elastic File System (Amazon E FS) Multi-AZ file system. Configure", "B. Deploy a new Amazon FSx for Lustre file system. C onfigure Bursting Throughput mode for", "C. Deploy a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume", "D. Deploy an Amazon FSx for OpenZFS file system in b oth the production Region and the DR" ], "correct": "B. Deploy a new Amazon FSx for Lustre file system. C onfigure Bursting Throughput mode for", "explanation": "Explanation/Reference: Community vote distribution D (86%) 14%", "references": "" }, { "question": "Topic 1 A company needs to gather data from an experiment i n a remote location that does not have internet connectivity. During the experiment, senso rs that are connected to a local network will generate 6 TB of data in a proprietary format over the course of 1 week. The sensors can be configured to upload their data files to an FTP ser ver periodically, but the sensors do not have their own FTP server. The sensors also do not support oth er protocols. The company needs to collect the data centrally and move the data to object stor age in the AWS Cloud as soon as possible after the experiment. Which solution will meet these requirements?", "options": [ "A. Order an AWS Snowball Edge Compute Optimized devi ce. Connect the device to the local", "B. Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the device to", "C. Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the device to" ], "correct": "C. Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the device to", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company that has multiple business units is using AWS Organizations with all features enabled. The company has implemented an account structure in which each business unit has its own AWS account. Administrators in each AWS account need to view detailed cost and utilization data for their account by using Amazon Athena. Each business unit can have access to only its own cost and utilization data. The IAM policies that govern the ability to set up AWS Cost and Usage Rep orts are in place. A central Cost and Usage Report that contains all data for the organization is already available in an Amazon S3 bucket. Which solution will meet these requirements with th e LEAST operational complexity?", "options": [ "A. In the organization's management account, use AWS Resource Access Manager (AWS", "B. In the organization's management account, configu re an S3 event to invoke an AWS", "C. In each member account, access AWS Cost Explorer. Create a new report that contains", "D. In each member account, create a new S3 bucket to store Cost and Usage Report data. Set" ], "correct": "A. In the organization's management account, use AWS Resource Access Manager (AWS", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is designing an AWS environment for a man ufacturing application. The application has been successful with customers, and the application 's user base has increased. The company has connected the AWS environment to the company's on-p remises data center through a 1 Gbps AWS Direct Connect connection. The company has configur ed BGP for the connection. The company must update the existing network connec tivity solution to ensure that the solution is highly available, fault tolerant, and secure. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Add a dynamic private IP AWS Site-to-Site VPN as a secondary path to secure data in", "B. Provision another Direct Connect connection betwe en the company's on-premises data", "C. Configure multiple private VIFs. Load balance dat a across the VIFs between the on-", "D. Add a static AWS Site-to-Site VPN as a secondary path to secure data in transit and to" ], "correct": "D. Add a static AWS Site-to-Site VPN as a secondary path to secure data in transit and to", "explanation": "Explanation/Reference: Community vote distribution D (74%) A (26%)", "references": "" }, { "question": "Topic 1 A company needs to modernize an application and mig rate the application to AWS. The application stores user profile data as text in a single table in an on-premises MySQL database. After the modernization, users will use the applica tion to upload video files that are up to 4 GB in size. Other users must be able to download the vide o files from the application. The company needs a video storage solution that provides rapid scaling. The solution must not affect application performance. Which solution will meet these requirements?", "options": [ "A. Migrate the database to Amazon Aurora PostgreSQL by using AWS Database Migration", "B. Migrate the database to Amazon DynamoDB by using AWS Database Migration Service", "C. Migrate the database to Amazon Keyspaces (for Apa che Cassandra) by using AWS", "D. Migrate the database to Amazon DynamoDB by using AWS Database Migration Service" ], "correct": "B. Migrate the database to Amazon DynamoDB by using AWS Database Migration Service", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company stores and manages documents in an Amazon Elastic File System (Amazon EFS) file system. The file system is encrypted with an AWS Ke y Management Service (AWS KMS) key. The file system is mounted to an Amazon EC2 instance th at runs proprietary software. The company has enabled automatic backups for the f ile system. The automatic backups use the AWS Backup default backup plan. A solutions architect must ensure that deleted docu ments can be recovered within an RPO of 100 minutes. Which solution will meet these requirements?", "options": [ "A. Create a new IAM role. Create a new backup plan. Use the new IAM role to create backups.", "B. Create a new backup plan. Update the KMS key poli cy to allow the", "C. Create a new IAM role. Use the existing backup pl an. Update the KMS key policy to allow", "D. Use the existing backup plan. Update the KMS key policy to allow the" ], "correct": "B. Create a new backup plan. Update the KMS key poli cy to allow the", "explanation": "Explanation/Reference: Community vote distribution A (73%) B (18%) 9%", "references": "" }, { "question": "Topic 1 A solutions architect must provide a secure way for a team of cloud engineers to use the AWS CLI to upload objects into an Amazon S3 bucket. Each cl oud engineer has an IAM user, IAM access keys, and a virtual multi-factor authentication (MF A) device. The IAM users for the cloud engineers are in a group that is named S3-access. The cloud e ngineers must use MFA to perform any actions in Amazon S3. Which solution will meet these requirements?", "options": [ "A. Attach a policy to the S3 bucket to prompt the IA M user for an MFA code when the IAM", "B. Update the trust policy for the S3-access group t o require principals to use MFA when", "C. Attach a policy to the S3-access group to deny al l S3 actions unless MFA is present. Use", "D. Attach a policy to the S3-access group to deny al l S3 actions unless MFA is present." ], "correct": "D. Attach a policy to the S3-access group to deny al l S3 actions unless MFA is present.", "explanation": "Explanation/Reference: Community vote distribution D (100%)", "references": "" }, { "question": "Topic 1 A company needs to migrate 60 on-premises legacy ap plications to AWS. The applications are based on the NET Framework and run on Windows. The company needs a solution that minimizes migrati on time and requires no application code changes. The company also does not want to manage t he infrastructure. Which solution will meet these requirements?", "options": [ "A. Refactor the applications and containerize them b y using AWS Toolkit for NET Refactoring.", "B. Use the Windows Web Application Migration Assista nt to migrate the applications to AWS", "C. Use the Windows Web Application Migration Assista nt to migrate the applications to", "D. Refactor the applications and containerize them b y using AWS Toolkit for NET Refactoring." ], "correct": "B. Use the Windows Web Application Migration Assista nt to migrate the applications to AWS", "explanation": "Explanation/Reference: Community vote distribution B (67%) A (33%)", "references": "" }, { "question": "Topic 1 A company needs to run large batch-processing jobs on data that is stored in an Amazon S3 bucket. The jobs perform simulations. The results o f the jobs are not time sensitive, and the process can withstand interruptions. Each job must process 15-20 GB of data when the dat a is stored in the S3 bucket. The company will store the output from the jobs in a different Amazon S3 bucket for further analysis. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Create a serverless data pipeline. Use AWS Step F unctions for orchestration. Use AWS", "B. Create an AWS Batch compute environment that incl udes Amazon EC2 Spot Instances.", "C. Create an AWS Batch compute environment that incl udes Amazon EC2 On-Demand", "D. Use Amazon Elastic Kubernetes Service (Amazon EKS ) to run the processing jobs. Use" ], "correct": "B. Create an AWS Batch compute environment that incl udes Amazon EC2 Spot Instances.", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company has an application that analyzes and stor es image data on premises. The application receives millions of new image files every day. Fil es are an average of 1 MB in size. The files are analyzed in batches of 1 GB. When the application a nalyzes a batch, the application zips the images together. The application then archives the images as a single file in an on-premises NFS server for long-term storage. The company has a Microsoft Hyper-V environment on premises and has compute capacity available. The company does not have storage capaci ty and wants to archive the images on AWS. The company needs the ability to retrieve archived data within 1 week of a request. The company has a 10 Gbps AWS Direct Connect connec tion between its on-premises data center and AWS. The company needs to set bandwidth limits and schedule archived images to be copied to AWS during non-business hours. Which solution will meet these requirements MOST co st-effectively?", "options": [ "A. Deploy an AWS DataSync agent on a new GPU-based A mazon EC2 instance. Configure the", "C. Deploy an AWS DataSync agent on a new general pur pose Amazon EC2 instance. Configure", "D. Deploy an AWS Storage Gateway Tape Gateway on pre mises in the Hyper-V environment." ], "correct": "C. Deploy an AWS DataSync agent on a new general pur pose Amazon EC2 instance. Configure", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company wants to record key performance indicator s (KPIs) from its application as part of a strategy to convert to a user-based licensing schem a. The application is a multi-tier application with a web-based UI. The company saves all log file s to Amazon CloudWatch by using the CloudWatch agent. All logins to the application are saved in a log file. As part of the new license schema, the company need s to find out how many unique users each client has on a daily basis, weekly basis, and mont hly basis. Which solution will provide this information with t he LEAST change to the application?", "options": [ "A. Configure an Amazon CloudWatch Logs metric filter that saves each successful login as a", "B. Change the application logic to make each success ful login generate a call to the AWS SDK", "C. Configure the CloudWatch agent to extract success ful login metrics from the logs.", "D. Configure an AWS Lambda function to consume an Am azon CloudWatch Logs stream of" ], "correct": "A. Configure an Amazon CloudWatch Logs metric filter that saves each successful login as a", "explanation": "Explanation/Reference: Community vote distribution A (86%) 14%", "references": "" }, { "question": "Topic 1 A company is using GitHub Actions to run a CI/CD pi peline that accesses resources on AWS. The company has an IAM user that uses a secret key in t he pipeline to authenticate to AWS. An existing IAM role with an attached policy grants the require d permissions to deploy resources. The company's security team implements a new requir ement that pipelines can no longer use long- lived secret keys. A solutions architect must repla ce the secret key with a short-lived solution. Which solution will meet these requirements with th e LEAST operational overhead?", "options": [ "A. Create an IAM SAML 2.0 identity provider (IdP) in AWS Identity and Access Management", "B. Create an IAM OpenID Connect (OIDC) identity prov ider (IdP) in AWS Identity and Access", "C. Create an Amazon Cognito identity pool. Configure the authentication provider to use", "D. Create a trust anchor to AWS Private Certificate Authority. Generate a client certificate to" ], "correct": "B. Create an IAM OpenID Connect (OIDC) identity prov ider (IdP) in AWS Identity and Access", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is running a web-crawling process on a li st of target URLs to obtain training documents for machine learning training algorithms. A fleet o f Amazon EC2 t2.micro instances pulls the target URLs from an Amazon Simple Queue Service (Amazon SQ S) queue. The instances then write the result of the crawling algorithm as a .csv file to an Amazon Elastic File System (Amazon EFS) volume. The EFS volume is mounted on all instances of the fleet. A separate system adds the URLs to the SQS queue at infrequent rates. The instances crawl each URL in 10 seconds or less. Metrics indicate that some instances are idle when no URLs are in the SQS queue. A solutions architect needs to redesign the architecture to opt imize costs. Which combination of steps will meet these requirem ents MOST cost-effectively? (Choose two.)", "options": [ "A. Use m5.8xlarge instances instead of t2.micro inst ances for the web-crawling process. \u00b7", "B. Convert the web-crawling process into an AWS Lamb da function. Configure the Lambda", "C. Modify the web-crawling process to store results in Amazon Neptune.", "D. Modify the web-crawling process to store results in an Amazon Aurora Serverless MySQL" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BE (100%)", "references": "" }, { "question": "Topic 1 A company needs to migrate its website from an on-p remises data center to AWS. The website consists of a load balancer, a content management s ystem (CMS) that runs on a Linux operating system, and a MySQL database. The CMS requires persistent NFS-compatible storage for a file system. The new solution on AWS must be able to scale from 2 Amazon EC2 instances t o 30 EC2 instances in response to unpredictable traffic increases. The new solution a lso must require no changes to the website and must prevent data loss. Which solution will meet these requirements?", "options": [ "A. Create an Amazon Elastic File System (Amazon EFS) file system. Deploy the CMS to AWS", "B. Create an Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume. Deploy the CMS", "C. Create an Amazon Elastic File System (Amazon EFS) file system. Create a launch template", "D. Create an Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume. Create a launch" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution A (91%) 9%", "references": "" }, { "question": "Topic 1 A company needs to implement disaster recovery for a critical application that runs in a single AWS Region. The application's users interact with a web frontend that is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB) . The application writes to an Amazon RDS for MySQL DB instance. The application also outputs processed documents that are stored in an Amazon S3 bucket. The company's finance team directly queries the dat abase to run reports. During busy periods, these queries consume resources and negatively affe ct application performance. A solutions architect must design a solution that w ill provide resiliency during a disaster. The solution must minimize data loss and must resolve t he performance problems that result from the finance team's queries. Which solution will meet these requirements?", "options": [ "A. Migrate the database to Amazon DynamoDB and use D ynamoDB global tables. Instruct the", "B. Launch additional EC2 instances that host the app lication in a separate Region. Add the", "C. Create a read replica of the RDS DB instance in a separate Region. Instruct the finance", "D. Create hourly snapshots of the RDS DB instance. C opy the snapshots to a separate Region." ], "correct": "B. Launch additional EC2 instances that host the app lication in a separate Region. Add the", "explanation": "Explanation Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company has many services running in its on-premi ses data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec V PN. The service data is sensitive and connectivity cannot traverse the internet. The comp any wants to expand into a new market segment and begin offering its services to other co mpanies that are using AWS. Which solution will meet these requirements?", "options": [ "A. Create a VPC Endpoint Service that accepts TCP tr affic, host it behind a Network Load", "B. Create a VPC Endpoint Service that accepts HTTP o r HTTPS traffic, host it behind an", "C. Attach an internet gateway to the VPC, and ensure that network access control and", "D. Attach a NAT gateway to the VPC, and ensure that network access control and security" ], "correct": "A. Create a VPC Endpoint Service that accepts TCP tr affic, host it behind a Network Load", "explanation": "Explanation/Reference: Community vote distribution A (88%) 13%", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations to manage its AWS accounts. A solutions architect must design a solution in which only administrator roles are allowed to use IAM actions. However, the solutions architect does not have access to all the AWS accounts throughout the company. Which solution meets these requirements with the LE AST operational overhead?", "options": [ "A. Create an SCP that applies to all the AWS account s to allow IAM actions only for", "B. Configure AWS CloudTrail to invoke an AWS Lambda function for each event that is related", "C. Create an SCP that applies to all the AWS account s to deny IAM actions for all users", "D. Set an IAM permissions boundary that allows IAM a ctions. Attach the permissions" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company hosts some applications in a VPC in the com pany's shared services account. The company has attached a transit gateway to the V PC in the shared services account. The company is developing a new capability and has created a development environment that requires access to the applications that are in the shared services account. The company intends to delete and recreate resources frequently in the development account. The company also wants to give a development team the ability to recreate the team's connection to the shared services account as required. Which solution will meet these requirements?", "options": [ "A. Create a transit gateway in the development accou nt. Create a transit gateway peering", "B. Turn on automatic acceptance for the transit gate way in the shared services account. Use", "C. Turn on automatic acceptance for the transit gate way in the shared services account.", "D. Create an Amazon EventBridge rule to invoke an AW S Lambda function that accepts the" ], "correct": "B. Turn on automatic acceptance for the transit gate way in the shared services account. Use", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company wants to migrate virtual Microsoft worklo ads from an on-premises data center to AWS. The company has successfully tested a few sample wo rkloads on AWS. The company also has created an AWS Site-to-Site VPN connection to a VPC . A solutions architect needs to generate a total cost of ownership (TCO) report for the migrat ion of all the workloads from the data center. Simple Network Management Protocol (SNMP) has been enabled on each VM in the data center. The company cannot add more VMs in the data center and cannot install additional software on the VMs. The discovery data must be automatically i mported into AWS Migration Hub. Which solution will meet these requirements?", "options": [ "A. Use the AWS Application Migration Service agentle ss service and the AWS Migration Hub", "B. Launch a Windows Amazon EC2 instance. Install the Migration Evaluator agentless", "C. Launch a Windows Amazon EC2 instance. Install the Migration Evaluator agentless", "D. Use the AWS Migration Readiness Assessment tool i nside the VPC. Configure Migration" ], "correct": "A. Use the AWS Application Migration Service agentle ss service and the AWS Migration Hub", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company that is developing a mobile game is makin g game assets available in two AWS Regions. Game assets are served from a set of Amazo n EC2 instances behind an Application Load Balancer (ALB) in each Region. The company requires game assets to be fetched from the closest Region. If game assets become unavailable in the cl osest Region, they should be fetched from the other Region. What should a solutions architect do to meet these requirements?", "options": [ "A. Create an Amazon CloudFront distribution. Create an origin group with one origin for each", "B. Create an Amazon Route 53 health check for each A LCreate a Route 53 failover routing", "C. Create two Amazon CloudFront distributions, each with one ALB as the origin. Create an", "D. Create an Amazon Route 53 health check for each A LB. Create a Route 53 latency alias", "A. Create an AWS Lambda function to decompress the g zip files and to compress the files", "B. Enable S3 Transfer Acceleration for the S3 bucket . Create an S3 Lifecycle configuration to", "C. Update the VPC flow log configuration to store th e files in Apache Parquet format. Specify", "D. Create a new Athena workgroup without data usage control limits. Use Athena engine" ], "correct": "C. Update the VPC flow log configuration to store th e files in Apache Parquet format. Specify", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company wants to establish a dedicated connection between its on-premises infrastructure and AWS. The company is setting up a 1 Gbps AWS Direct Connect connection to its account VPC. The architecture includes a transit gateway and a Direc t Connect gateway to connect multiple VPCs and the on-premises infrastructure. The company must connect to VPC resources over a tr ansit VIF by using the Direct Connect connection. Which combination of steps will meet these requirem ents? (Choose two.)", "options": [ "A. Update the 1 Gbps Direct Connect connection to 10 Gbps.", "B. Advertise the on-premises network prefixes over t he transit VIF.", "C. Advertise the VPC prefixes from the Direct Connec t gateway to the on-premises network", "D. Update the Direct Connect connection's MACsec enc ryption mode attribute to" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution BC (100%)", "references": "" }, { "question": "Topic 1 A company wants to use Amazon WorkSpaces in combina tion with thin client devices to replace aging desktops. Employees use the desktops to acces s applications that work with Clinical trial data. Corporate security policy states that access to the applications must be restricted to only company branch office locations. The company is con sidering adding an additional branch office in the next 6 months. Which solution meets these requirements with the MO ST operational efficiency?", "options": [ "A. Create an IP access control group rule with the l ist of public addresses from the branch", "B. Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list of public", "C. Use AWS Certificate Manager (ACM) to issue truste d device certificates to the machines", "D. Create a custom WorkSpace image with Windows Fire wall configured to restrict access to" ], "correct": "B. Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list of public", "explanation": "Explanation/Reference: Community vote distribution A (80%) B (20%)", "references": "" }, { "question": "Topic 1 A company uses AWS Organizations. The company runs two firewall appliances in a centralized networking account. Each firewall appliance runs on a manually configured highly available Amazon EC2 instance. A transit gateway connects the VPC from the centralized networking account to VPCs of member accounts. Each firewall a ppliance uses a static private IP address that is then used to route traffic from the member accou nts to the internet. During a recent incident, a badly configured script initiated the termination of both firewall appliances. During the rebuild of the firewall appl iances, the company wrote a new script to configure the firewall appliances at startup. The company wants to modernize the deployment of th e firewall appliances. The firewall appliances need the ability to scale horizontally t o handle increased traffic when the network expands. The company must continue to use the firew all appliances to comply with company policy. The provider of the firewall appliances has confirmed that the latest version of the firewall code will work with all AWS services. Which combination of steps should the solutions arc hitect recommend to meet these requirements MOST cost-effectively? (Choose three.)", "options": [ "A. Deploy a Gateway Load Balancer in the centralized networking account. Set up an endpoint", "B. Deploy a Network Load Balancer in the centralized networking account. Set up an endpoint", "C. Create an Auto Scaling group and a launch templat e that uses the new script as user data", "D. Create an Auto Scaling group. Configure an AWS La unch Wizard deployment that uses the" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACF (53%) ACE (29%) BCE (18%)", "references": "" }, { "question": "Topic 1 A solutions architect must implement a multi-Region architecture for an Amazon RDS for PostgreSQL database that supports a web application . The database launches from an AWS CloudFormation template that includes AWS services and features that are present in both the primary and secondary Regions. The database is configured for automated backups, a nd it has an RTO of 15 minutes and an RPO of 2 hours. The web application is configured to use a n Amazon Route 53 record to route traffic to the database. Which combination of steps will result in a highly available architecture that meets all the requirements? (Choose two.)", "options": [ "A. Create a cross-Region read replica of the databas e in the secondary Region. Configure an", "B. In the primary Region, create a health check on t he database that will invoke an AWS", "C. Create an AWS Lambda function to copy the latest automated backup to the secondary", "D. Create a failover routing policy in Route 53 for the database DNS record. Set the primary" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution AD (100%)", "references": "" }, { "question": "Topic 1 An ecommerce company runs an application on AWS. Th e application has an Amazon API Gateway API that invokes an AWS Lambda function. The data i s stored in an Amazon RDS for PostgreSQL DB instance. During the company's most recent flash sale, a sudd en increase in API calls negatively affected the application's performance. A solutions architect re viewed the Amazon CloudWatch metrics during that time and noticed a significant increase in Lam bda invocations and database connections. The CPU utilization also was high on the DB instance. What should the solutions architect recommend to op timize the application's performance?", "options": [ "A. Increase the memory of the Lambda function. Modif y the Lambda function to close the", "B. Add an Amazon ElastiCache for Redis cluster to st ore the frequently accessed data from", "C. Create an RDS proxy by using the Lambda console. Modify the Lambda function to use the", "D. Modify the Lambda function to connect to the data base outside of the function's handler." ], "correct": "B. Add an Amazon ElastiCache for Redis cluster to st ore the frequently accessed data from", "explanation": "Explanation/Reference: Community vote distribution C (83%) D (17%)", "references": "" }, { "question": "Topic 1 A retail company wants to improve its application a rchitecture. The company's applications register new orders, handle returns of merchandise, and provide analytics. The applications store retail data in a MySQL database and an Oracle OLAP analytics database. All the applications and databases are hosted on Amazon EC2 instances. Each application consists of several components tha t handle different parts of the order process. These components use incoming data from different s ources. A separate ETL job runs every week and copies data from each application to the analyt ics database. A solutions architect must redesign the architectur e into an event-driven solution that uses serverless services. The solution must provide upda ted analytics in near real time. Which solution will meet these requirements?", "options": [ "A. Migrate the individual applications as microservi ces to Amazon Elastic Container Service", "B. Create an Auto Scaling group for each application . Specify the necessary number of EC2", "C. Migrate the individual applications as microservi ces to Amazon Elastic Kubernetes Service", "D. Migrate the individual applications as microservi ces to Amazon AppStream 2.0. Migrate" ], "correct": "C. Migrate the individual applications as microservi ces to Amazon Elastic Kubernetes Service", "explanation": "Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A company is planning a migration from an on-premis es data center to the AWS Cloud. The company plans to use multiple AWS accounts that are managed in an organization in AWS Organizations. The company will create a small numb er of accounts initially and will add accounts as needed. A solutions architect must design a solu tion that turns on AWS CloudTrail in all AWS accounts. What is the MOST operationally efficient solution t hat meets these requirements?", "options": [ "A. Create an AWS Lambda function that creates a new CloudTrail trail in all AWS accounts in", "C. Create a new CloudTrail trail in all AWS accounts in the organization. Create new trails", "D. Create an AWS Systems Manager Automation runbook that creates a CloudTrail trail in all" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A software development company has multiple enginee rs who are working remotely. The company is running Active Directory Domain Services (AD DS) on an Amazon EC2 instance. The company's security policy states that all internal, nonpublic services that are deployed in a VPC must be accessible through a VPN. Multi-factor authenticati on (MFA) must be used for access to a VPN. What should a solutions architect do to meet these requirements?", "options": [ "A. Create an AWS Site-to-Site VPN connection. Config ure integration between a VPN and AD", "B. Create an AWS Client VPN endpoint. Create an AD C onnector directory for integration with", "C. Create multiple AWS Site-to-Site VPN connections by using AWS VPN CloudHub. Configure", "D. Create an Amazon WorkLink endpoint. Configure int egration between Amazon WorkLink" ], "correct": "B. Create an AWS Client VPN endpoint. Create an AD C onnector directory for integration with", "explanation": "Explanation/Reference: Community vote distribution B (100%)", "references": "" }, { "question": "Topic 1 A company is running a three-tier web application i n an on-premises data center. The frontend is served by an Apache web server, the middle tier is a monolithic Java application, and the storage tier is a PostgreSQL database. During a recent marketing promotion, customers coul d not place orders through the application because the application crashed. An analysis showed that all three tiers were overloaded. The application became unresponsive, and the database r eached its capacity limit because of read operations. The company already has several similar promotions scheduled in the near future. A solutions architect must develop a plan for migra tion to AWS to resolve these issues. The solution must maximize scalability and must minimiz e operational effort Which combination of steps will meet these requirem ents? (Choose three.)", "options": [ "A. Refactor the frontend so that static assets can b e hosted on Amazon S3. Use Amazon", "B. Rehost the Apache web server of the frontend on A mazon EC2 instances that are in an", "C. Rehost the Java application in an AWS Elastic Bea nstalk environment that includes auto", "D. Refactor the Java application, Develop a Docker c ontainer to run the Java application. Use" ], "correct": "", "explanation": "Explanation/Reference: Community vote distribution ACE (60%) A (20%) BCE (20%)", "references": "" }, { "question": "Topic 1 A company is deploying a new application on AWS. Th e application consists of an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and an Amaz on Elastic Container Registry (Amazon ECR) repository. The EKS cluster has an AWS managed node group. The company's security guidelines state that all re sources on AWS must be continuously scanned for security vulnerabilities. Which solution will meet this requirement with the LEAST operational overhead?", "options": [ "A. Activate AWS Security Hub. Configure Security Hub to scan the EKS nodes and the ECR", "B. Activate Amazon Inspector to scan the EKS nodes a nd the ECR repository.", "C. Launch a new Amazon EC2 instance and install a vu lnerability scanning tool from AWS \u00b7", "D. Install the Amazon CloudWatch agent on the EKS no des. Configure the CloudWatch agent" ], "correct": "B. Activate Amazon Inspector to scan the EKS nodes a nd the ECR repository.", "explanation": "Explanation/Reference: Community vote distribution B (82%) A (18%)", "references": "" }, { "question": "Topic 1 A company needs to improve the reliability of its t icketing application. The application runs on an Amazon Elastic Container Service (Amazon ECS) clust er. The company uses Amazon CloudFront to serve the application. A single ECS service of t he ECS cluster is the CloudFront distribution's origin. The application allows only a specific number of ac tive users to enter a ticket purchasing flow. These users are identified by an encrypted attribut e in their JSON Web Token (JWT). All other users are redirected to a waiting room module until there is available capacity for purchasing. The application is experiencing high loads. The wai ting room module is working as designed, but load on the waiting room is disrupting the applicat ions availability. This disruption is negatively affecting the applica tion's ticket sale transactions. Which solution will provide the MOST reliability fo r ticket sale transactions during periods of high load?", "options": [ "A. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling", "B. Move the application to an Amazon Elastic Kuberne tes Service (Amazon EKS) cluster. Split", "C. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling", "D. Move the application to an Amazon Elastic Kuberne tes Service (Amazon EKS) cluster. Split" ], "correct": "C. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling", "explanation": "Explanation Explanation/Reference: Community vote distribution C (100%)", "references": "" }, { "question": "Topic 1 A solutions architect is creating an AWS CloudForma tion template from an existing manually created non-production AWS environment. The CloudFo rmation template can be destroyed and recreated as needed. The environment contains an Am azon EC2 instance. The EC2 instance has an instance profile that the EC2 instance uses to assu me a role in a parent account. The solutions architect recreates the role in a Clo udFormation template and uses the same role name. When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account bec ause of insufficient permissions What should the solutions architect do to resolve t his issue?", "options": [ "A. In the parent account, edit the trust policy for the role that the EC2 instance needs to", "B. In the parent account, edit the trust policy for the role that the EC2 instance needs to", "C. Update the CloudFormation stack again. Specify on ly the CAPABILITY_NAMED_IAM", "D. Update the CloudFormation stack again. Specify th e CAPABILITY_IAM capability and the" ], "correct": "B. In the parent account, edit the trust policy for the role that the EC2 instance needs to", "explanation": "Explanation/Reference: Community vote distribution A (67%) B (33%)", "references": "" }, { "question": "Topic 1 A company's web application has reliability issues. The application serves customers globally. The application runs on a single Amazon EC2 instance an d performs read-intensive operations on an Amazon RDS for MySQL database. During high load, the application becomes unrespons ive and requires a manual restart of the EC2 instance. A solutions architect must improve the ap plication's reliability. Which solution will meet this requirement with the LEAST development effort?", "options": [ "A. Create an Amazon CloudFront distribution. Specify the EC2 instance as the distribution's", "B. Run the application on EC2 instances that are in an Auto Scaling group. Place the EC2", "C. Deploy AWS Global Accelerator. Configure a Multi- AZ deployment for the RDS for MySQL", "D. Migrate the application to AWS Lambda functions. Create read replicas for the RDS for" ], "correct": "A. Create an Amazon CloudFront distribution. Specify the EC2 instance as the distribution's", "explanation": "Explanation/Reference: Community vote distribution B (67%) 11% 11% 11% Get IT Certification Unlock free, top-quality video courses on ExamTopic s with a simple registration. Elevate your learning journey with our expertly curated con tent. Register now to access a diverse range of educational resources designed for your success. Start learning today", "references": "" } ]