Amazon Web Services SAA-C03 Dumps

To break down consolidated billing costs by “product line” using tags, the company must use cost allocation tags and ensure those tags are activated for billing at the payer/management level. Because the teams have already applied user-defined tags to the compute resources across accounts, the correct approach is to (1) use those user-defined tags in the billing tools and (2) activate them so they appear in cost and usage reporting for consolidated billing.

B is required because cost reporting by product line depends on selecting the user-defined cost allocation tag key (for example, ProductLine=...) in AWS billing and cost management tooling (such as Cost Explorer reports). AWS-generated tags are not what teams typically use for chargeback by business dimension, and the scenario explicitly says teams tagged resources (i.e., user-defined).

E is required because in an AWS Organizations consolidated billing setup, cost allocation tag activation is handled centrally from the Organizations management account so that the tags can be used consistently in consolidated cost views and reporting. Activating tags centrally ensures the billing system recognizes and includes those tag dimensions in cost allocation data.

Option C is not relevant to billing breakdown; Resource Groups is for organizing and operating on resources, not for consolidated billing allocation. Option D is unnecessary in this scenario’s intended best practice because activation for consolidated billing reporting is done from the management account to standardize reporting. In short, you tag resources (already done), then activate the tag for billing and use it in billing reports to see cost by product line across accounts and Regions.

Therefore, B and E together meet the requirement with the correct billing-focused steps.

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.

Creating a listener rule on theApplication Load Balancer (ALB)to return a maintenance response during the maintenance window is the most straightforward solution with the least operational overhead. The rule can be configured to match all incoming requests and return a custom response, and it can be easily removed once maintenance is complete.

Option A (Aurora table flag): This adds unnecessary complexity for a temporary maintenance response.

Option B and D (SQS or SNS): These options introduce more components than needed for a simple maintenance message.

AWS References:

ALB Listener Rules

Amazon S3 is the natural long-term storage service for terabytes of images and videos because it scales massively and integrates directly withAmazon SageMaker AIfor machine learning workflows. UsingS3 Intelligent-Tieringhelps optimize storage cost automatically when access patterns vary over time. AWS recommends Intelligent-Tiering when access frequency changes or is unpredictable, because the service automatically moves objects between tiers while keeping them available. The alternatives introduce extra file system copies and additional cost or use a notebook instance as a storage endpoint, which is not a scalable long-term ingestion design. Therefore, S3 with direct SageMaker integration and Intelligent-Tiering is the most scalable and cost-conscious solution. (AWS Documentation)

============

Application Load Balancer (ALB): ALB is suitable for routing HTTP/HTTPS traffic to the application servers. It provides advanced routing features and integrates well with Auto Scaling groups.

Target Group Configuration:

Create a target group for the application servers and register the Auto Scaling group with this target group.

Configure the ALB to forward requests from the web servers to the application servers.

Security Group Setup:

Configure the security group of the application servers to only allow traffic from the web servers ' security group.

This ensures that only the web servers can access the application servers, meeting the requirement to limit access.

Benefits:

Security: Using security groups to restrict access ensures a secure environment where only intended traffic is allowed.

Scalability: ALB works seamlessly with Auto Scaling groups, ensuring the application can handle varying loads efficiently.

To ensure high availability and scalability, the web application should run in anAuto Scaling groupacross two Availability Zones behind anApplication Load Balancer (ALB). The database should be migrated toAmazon RDSwithMulti-AZ deployment, which ensures fault tolerance and automatic failover in case of an AZ failure. This setup minimizes administrative overhead while meeting the company ' s requirements for high availability and scalability.

Option A: Read replicas are typically used for scaling read operations, and Multi-AZ provides better availability for a transactional database.

Option B: Replicating across AWS Regions adds unnecessary complexity for a single web application.

Option D: EC2 instances across three Availability Zones add unnecessary complexity for this scenario.

AWS References:

Auto Scaling Groups

Amazon RDS Multi-AZ

AWS recommends using anIAM role attached to the EC2 instanceso the application can obtaintemporary credentialsautomatically instead of storing long-term access keys in code or configuration. That directly follows AWS security guidance for workloads running on EC2. The role should grant only the specific S3 permissions the application needs, which satisfies the principle of least privilege. Administrative access is too broad, and IAM users with access keys are less secure because they require credential distribution and rotation. The best-practice design is therefore to attach an IAM role with only the required S3 actions to the instance profile and let the SDK retrieve temporary credentials from the instance metadata service.

============

Detailed Explanation:

A. IAM identity provider:Does not support centralized management across multiple accounts.

B. AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.

C. IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D. Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

AWS guidance for NAT Gateway recommends deploying “a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.” This provides “zone-independent architecture” and avoids cross-AZ data processing charges and single-AZ failures. Option B creates a single point of failure and incurs cross-AZ egress charges when private subnets in other AZs traverse a centralized NAT. NAT instances (C) are legacy, require manual scaling/failover/patching, and are not recommended for production HA. Option D is not supported (NLB cannot front a NAT Gateway as a target). With steady, uniform load, per-AZ NAT Gateways deliver high availability with predictable cost; routing each private subnet to its local NAT Gateway maintains security (no inbound initiated connections) and resilience. This meets the requirement for cost-effective, secure outbound connectivity across multiple AZs while preserving availability.

Aurora Global Database is designed for low-latency cross-Region reads and disaster recovery for relational data.

Amazon S3 Cross-Region Replication (CRR) automatically replicates unstructured data to another Region, ensuring high availability and resilience.

“Aurora Global Database replicates your data with typical latency of less than 1 second to secondary AWS Regions.”

“Amazon S3 Cross-Region Replication automatically replicates every object uploaded to your bucket to a destination bucket in another AWS Region.”

— Aurora Global Database

— S3 Cross-Region Replication

This combination meets the multi-Region, high availability, fault-tolerant requirement for both relational and unstructured data.

AWS Secrets Manager is the managed service for securely storing, rotating, and retrieving database credentials. When you store Aurora credentials in Secrets Manager and enable automatic rotation, Secrets Manager updates the credentials in both the database and the stored secret.

Each Lambda function version or alias can call Secrets Manager at runtime to retrieve the current secret value, so even older deployed Lambda versions that use an alias will always obtain the most recent credentials without redeployment.

Why others are not suitable:

B: Embeds credentials in code, requiring redeployment on every rotation and violating security best practices.

C: Environment variables are version-specific; old aliases would continue using outdated values unless you redeploy or change them.

D: Parameter Store can store and rotate secrets but is less integrated for database credential rotation than Secrets Manager; Secrets Manager is the purpose-built minimal-overhead choice here.

Using API Gateway and Lambda enables serverless handling of form submissions with minimal cost and infrastructure. When coupled with Amazon SNS, it allows instant email notifications without running servers, making it ideal for low-traffic workloads.

Amazon ElastiCache (Redis OSS) provides an in-memory cache that drastically improves read performance with minimal operational overhead.

It integrates easily with RDS and does not require schema or database changes.

EC2-based caching (Option C) increases management overhead.

DAX (Option D) accelerates DynamoDB only, not RDS.

Moving to DynamoDB (Option A) requires complete application and schema redesign.

=====================================================

A Network Load Balancer (NLB) supports IP address-based targets, which allows the use of both EC2 and on-premises endpoints. It also supports a static IP address or Elastic IP, which meets the requirement for a fixed IP address needed by some users.

NLB offers high performance, low latency, and minimal operational overhead. Application Load Balancer only supports instance or Lambda targets, not IP addresses outside the VPC. Route 53 Resolver is for DNS, and API Gateway is for HTTP-based APIs, not web applications.

Amazon S3 is the most cost-effective option for archiving data. Using AWS DMS to migrate to S3 in Apache Parquet format provides an optimized columnar format for analytics. By storing in S3 Glacier Flexible Retrieval, costs are minimized while maintaining compliance with retention. When queries are required, Athena can run SQL queries directly on archived data in S3 without provisioning infrastructure. Options A and B rely on maintaining RDS or EC2 instances, which increases cost and operational overhead. Option C requires full restores to EC2 before running queries, which is slow and inefficient. Therefore, D provides the lowest operational overhead and direct query capability with Athena.

To ensure that only specific AWS Lambda functions can read from or write to an Amazon SQS queue, useresource-based policiesattached directly to the SQS queue. These policies explicitly grant permissions to the IAM roles used by the Lambda functions. Additionally, the Lambda execution roles must also have IAM policies that permit SQS access. This dual-layer approach follows the AWS security best practice of granting least privilege access and ensures that no other service or entity can interact with the queue.

This is a common and supported pattern documented in theAmazon SQS Developer Guide, where resource-based policies restrict access at the queue level while IAM roles control permissions at the function level.

S3 File Gateway is the right gateway type because the on-premises workload needsNFS-based file accesswhile storing data in Amazon S3. AWS documentation states that File Gateway exposes NFS and SMB shares backed by S3 objects. For the archive requirement, the company is willing to wait days for retrieval, which aligns withS3 Glacier Deep Archive, AWS’s lowest-cost archival storage class for long-term retention. A lifecycle policy can transition the data automatically after 5 days. Volume Gateway is block-oriented, not NFS file-based, and Tape Gateway is intended for backup applications that use virtual tapes rather than standard NFS file shares. Therefore, File Gateway plus an S3 lifecycle transition to Glacier Deep Archive is the most cost-effective design.

============

Workload Discovery on AWS automatically scans AWS accounts and Regions, identifies deployed resources, and generates relationship-aware architecture diagrams. This provides a complete workload map with minimal operational effort.

Systems Manager Inventory (Option A) collects instance metadata but does not build multi-account architecture diagrams.

Step Functions (Option B) and X-Ray (Option D) require manual diagramming and do not meet the operational-efficiency requirement.

=====================================================

A warm pool is an Auto Scaling feature that keeps instances in a pre-initialized state so they can quickly join the active group when scaling is required. This reduces the time needed for instance bootstrapping and makes new capacity available almost instantly. Option A only increases capacity limits but does not address slow boot times. Option C merely extends grace periods without solving the delay. Option D forces overprovisioning, which is wasteful and not aligned with cost optimization. Using a warm pool (B) directly addresses the problem by reducing response time to scaling events.

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

AWS best practices strongly recommend enabling MFA on the root user, but they also emphasize planning for MFA device loss. AWS allows the configuration of multiple MFA devices for the root user, which provides redundancy and ensures continued access in disaster scenarios. Option B directly addresses the requirement by enabling a backup authentication method without weakening security controls.

Adding multiple MFA devices ensures that if one device is lost, damaged, or unavailable, the organization can still authenticate securely using the secondary device. This approach maintains strong security while eliminating the risk of permanent root account lockout. It also avoids time-consuming recovery processes that require contacting AWS Support and proving account ownership.

Option A is not sufficient because IAM administrator accounts do not replace root access and cannot perform certain root-only actions. Options C and D are not feasible because new administrator accounts or policy changes cannot be made if root access is already lost.

Therefore, B is the correct and AWS-recommended solution to ensure uninterrupted, secure access to the root account while maintaining MFA protection.

AmazonKinesis Data Streamsis the best choice for this scenario:

Message throughput: Kinesis Data Streams supports high throughput with enhanced fan-out and dedicated throughput for consumers.

Large message size: Supports message sizes up to 1 MB, meeting the 500 KB requirement.

Message retention: Data streams can retain messages for up to 365 days.

Strict ordering: Guarantees message ordering within shards.

Why Other Options Are Not Ideal:

Option B:

While SQS FIFO supports strict ordering, SNS topics do not. SNS also does not natively support message retention or strict ordering across consumers.Does not meet requirements.

Option C:

EventBridge does not provide strict ordering guarantees or message retention beyond 24 hours.Does not meet requirements.

Option D:

SNS topics with Data Firehose are not designed for use cases requiring strict ordering or long message retention.Does not meet requirements.

AWS References:

Amazon Kinesis Data Streams:AWS Documentation - Kinesis Data Streams

AWS Messaging Services Comparison:AWS Documentation - Messaging Services

For global low latency, AWS recommends using Amazon CloudFront as a content delivery network in front of both static and dynamic origins when possible.

Static content on Amazon S3 + CloudFront is the standard cost-effective pattern: S3 for low-cost durable storage, CloudFront for global edge caching.

Dynamic content exposed via Amazon API Gateway HTTP API can also be used as an origin for CloudFront, giving global users reduced latency and the ability to cache appropriate responses (when safe).

This pattern minimizes cost by:

Using S3 instead of EC2 for static hosting.

Using HTTP APIs (cheaper than REST APIs) for dynamic content.

Offloading a significant portion of requests to CloudFront cache.

Why the other options are not correct:

B: Static content is not fronted by CloudFront, so global latency is higher.

C: EC2-based web servers for the core web tier add more operational and cost overhead than needed for a mostly static + API pattern.

D: Only the static content uses CloudFront; the dynamic API still lacks a latency-optimized global entry point.

For spiky retail order traffic, a serverless architecture is a strong fit because it scales automatically without pre-provisioning servers. API Gateway can receive the order requests, Lambda can process them on demand, and DynamoDB on-demand mode can absorb unpredictable bursts without capacity planning. This design is more elastic than the EC2-based answers and avoids the single-instance bottlenecks in A and B. Option D is scalable, but it involves more infrastructure management and reader nodes do not directly solve write-heavy order-ingestion spikes. Therefore, API Gateway plus Lambda plus DynamoDB on-demand is the most resilient and scalable solution for this high-traffic event-driven workload.

============

EMR runtime roles allow fine-grained permissions per job, letting each team access only the services they are authorized to use. This isolates IAM permissions per workload and avoids exposing instance-level credentials through IMDSv2. Runtime roles improve security posture in multi-tenant EMR environments.

Amazon Kinesis Data Streams provides a highly scalable and durable service for ingesting real-time streaming data. By decoupling ingestion and processing, Kinesis can handle large spikes in traffic without service disruption. Lambda functions (or other consumers) can then process the data as it arrives, scaling automatically. This pattern avoids 503 errors due to compute saturation and delivers a resilient, serverless, and highly scalable architecture.

Reference Extract from AWS Documentation / Study Guide:

" Kinesis Data Streams provides a scalable and durable real-time data streaming service. Coupling Kinesis with AWS Lambda enables event-driven processing, elasticity, and decoupling between ingestion and processing layers. "

Source: AWS Certified Solutions Architect – Official Study Guide, Streaming and Serverless section.

The requirement is secure, permanent connectivity to two VPCs without enabling VPC-to-VPC communication. Option B achieves this by establishing a separate Site-to-Site VPN connection between the remote office and each VPC. Updating each VPC’s route tables ensures traffic from the remote office reaches the correct VPC resources, while preventing routing between the VPCs themselves. Options involving transit gateways (A and D) would introduce transitive routing capabilities, which violates the requirement of isolation between VPCs. Option C (VPC peering) directly conflicts with the requirement by enabling cross-VPC access. Therefore, option B is the correct solution as it maintains isolation while providing secure VPN connectivity.

The correct answer isCbecause the company needs asecure cross-account accesssolution that usestemporary credentials, followsleast privilege, and avoidslong-term access keys. The best practice for this design is to allow anIAM role in Account Ato access theAmazon S3 bucket in Account Bthrough aresource-based bucket policy. Analysts or applications in Account A can assume the IAM role and receive temporary credentials through AWS Security Token Service (AWS STS), which satisfies the requirement to avoid permanent access keys.

This approach is secure because permissions can be scoped precisely to the required bucket and prefixes, supporting least-privilege access. It also avoids creating separate IAM users in Account B and eliminates the operational and security risks of sharing static credentials across accounts. Cross-account access through IAM roles and S3 bucket policies is the standard AWS pattern for securely granting one account access to resources in another account.

Option A is incorrect because creating IAM users and sharing access keys introduces long-term credentials, which the company explicitly wants to avoid. Option B is incorrect because making the S3 bucket public violates security requirements and does not enforce least privilege. Option D is incorrect because using a bastion host adds unnecessary infrastructure and operational overhead and is not the recommended approach for S3 access.

AWS security best practices favorrole-based access with temporary credentialsandresource policiesfor cross-account resource sharing. Therefore, configuring the S3 bucket policy in Account B to allow access from an IAM role in Account A is the most secure and appropriate solution.

A Network Load Balancer operates at Layer 4 (TCP/UDP/TLS) and is optimized for high performance and static IP use cases. While NLB target groups can perform health checks, they are typically oriented around basic reachability and do not provide the same application-layer (Layer 7) visibility as an Application Load Balancer (ALB). The problem statement says the NLB is “not detecting HTTP errors,” which indicates the health signal needs to be based on an HTTP endpoint that can reflect application correctness (for example, returning specific HTTP status codes).

Replacing the NLB with an ALB enables true HTTP/HTTPS health checks against a URL path, including interpretation of HTTP response codes. This is the cleanest managed approach to detect application-layer failure modes that still allow TCP connections but produce bad HTTP responses. Once the ALB detects targets as unhealthy, the target group health status can be used by an Auto Scaling group to take action. With appropriate health check configuration (and, commonly, using ELB health checks as a signal), Auto Scaling can replace unhealthy instances automatically, improving availability without custom scripts.

Option A is misleading: NLB does not provide the same HTTP-aware request routing and rich L7 features; even if an NLB health check is configured, it does not address the broader need for application-layer detection and remediation as directly as ALB. Option B violates the “no custom scripts” requirement. Option D reacts to UnhealthyHostCount, but if the NLB isn’t marking hosts unhealthy for HTTP error cases, the metric won’t reliably trigger replacement; it also still depends on the NLB’s limited visibility into HTTP failures.

Therefore, C best meets the requirement by shifting to ALB for application-layer health checks and using Auto Scaling to replace unhealthy instances automatically.

AWS Direct Connect: Provides a dedicated network connection from your on-premises data center to AWS, ensuring low latency and consistent network performance.

Direct Connect Gateway Association:

Direct Connect Gateway: Acts as a global network transit hub to connect VPCs across different AWS regions.

Association with Transit Gateway: Enables communication between on-premises data centers and multiple VPCs connected to the transit gateway.

Transit Virtual Interface (VIF):

Create Transit VIF: To connect Direct Connect with a transit gateway.

Setup Steps:

Establish a Direct Connect connection.

Create a transit VIF to the Direct Connect gateway.

Associate the Direct Connect gateway with the transit gateway attached to the VPCs.

Cost Efficiency: This combination avoids the recurring costs and potential performance variability of VPN connections, providing a robust, low-latency hybrid network solution.

This solution leverages:

Amazon Redshift Spectrum to query S3 data directly from Redshift.

Amazon Athena for ad-hoc analysis of S3 data.

Amazon QuickSight for unified visualization from multiple data sources.

“Redshift Spectrum enables you to run queries against exabytes of data in Amazon S3 without having to load or transform the data.”

“QuickSight supports both Amazon Redshift and Amazon Athena as data sources.”

— Redshift Spectrum

— Amazon QuickSight Supported Data Sources

This architecture allows scalable querying and visualization with minimum ETL overhead, ideal for BI dashboards.

Incorrect Options:

A: The query editor is not a BI tool.

B, D: Grafana is better for time-series data, not structured analytics or BI reports.

AWS VPC endpoints (interface and gateway) allow private connectivity from VPC resources to AWS services without requiring public IP addresses or internet gateways. This ensures applications remain isolated in private subnets while securely accessing AWS services. NAT gateways (B) would allow internet access, which does not meet the security requirement. Internet gateways (C) directly expose traffic to the internet, which violates the isolation requirement. Direct Connect (D) connects on-premises environments to AWS but does not provide service access from private subnets. Therefore, option A — using interface VPC endpoints — is the correct solution.

IAM Roles for Service Accounts (IRSA) is the AWS-recommended mechanism to grant fine-grained, pod-level AWS permissions in Amazon EKS. IRSA avoids the security risks of granting permissions to the entire node and aligns with the principle of least privilege.

To implement IRSA, two core components are required. First, an IAM role must be created with a trust policy that references an OIDC identity provider associated with the EKS cluster. This is why Option E is required. The OIDC provider allows AWS STS to authenticate Kubernetes service accounts and issue temporary credentials. Without this trust relationship, service accounts cannot assume IAM roles securely.

Second, the Kubernetes service account must be explicitly annotated with the ARN of the IAM role it is allowed to assume. This is provided by Option D. The annotation creates a direct mapping between a specific service account and a specific IAM role, ensuring granular access control at the pod level.

Option A is incorrect because attaching policies to the node IAM role grants permissions to all pods on the node, which violates least-privilege principles. Option B addresses network-level access but does not control AWS API authorization. Option C is incorrect because IAM roles should not be overloaded with permissions for multiple service accounts, and there is no direct one-to-one mapping between IAM roles and Kubernetes roles in this way.

Therefore, D and E together form the correct and secure IRSA configuration, enabling granular, auditable, and secure access to AWS resources from EKS workloads.

The correct approach is to attach anIAM roleto the EC2 instance profile and grant that role permission to read the secret fromAWS Secrets Manager. AWS documentation states that Secrets Manager uses IAM for authentication and authorization, and EC2 instance profiles are the supported mechanism for providing temporary credentials to applications running on EC2 instances. This avoids hardcoded credentials and removes the need for long-term access keys on the server. The other options either misuse IAM users, rely on the wrong access mechanism, or do not reflect how Secrets Manager permissions are normally granted to workloads.

============

DynamoDB Streams: Captures real-time changes in DynamoDB tables and allows integration with Lambda for processing the changes.

Minimal Operational Overhead: Using a Lambda function directly to write data to S3 ensures simplicity and reduces the complexity of the pipeline.

Amazon DynamoDB Streams Documentation

The company’s requirements are:

Store gigabytes of rarely accessed files daily.

Files must be available within minutes during the first year.

Retain files for 7 years cost-effectively.

The S3 Glacier Instant Retrieval storage class provides low-cost, long-term storage for data accessed occasionally, with millisecond retrieval time. This fits the requirement for availability within minutes during the first year. After one year, transitioning files to S3 Glacier Deep Archive (the lowest cost S3 storage class) with longer retrieval times is cost-effective for data retention over 7 years.

Option B uses S3 Standard and Glacier Flexible Retrieval, which is higher cost during the first year and slower retrieval times. Option C is less cost-efficient because EBS volumes are expensive for rarely accessed data and snapshots incur additional costs. Option D uses EFS, which is designed for low-latency file storage but is more expensive than S3 Glacier classes for long-term archival.

AWS WAF Bot Control is the best fit because the problem is abusive automated traffic submitting unnecessary requests and consuming compute resources. AWS documents that the Bot Control managed rule group is specifically designed to identify and manage bot traffic, including high-confidence bot signatures and common bot categories. This is more targeted than maintaining custom IP blocks and more directly aligned to the behavior described than general IP reputation controls. AWS Shield focuses on DDoS protection, not detailed application-layer bot categorization. Therefore, associating a WAF web ACL with the ALB and enabling Bot Control is the most appropriate solution.

============

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

Edge-optimized API endpointsroute requests through CloudFront, reducing latency for global users.

Option Acorrectly implements edge-optimization, caching, and compression to minimize latency.

Options B and Ddo not use edge optimization, leading to higher latency for global users.

Reserved concurrency inOptions C and Dimproves backend scaling but does not address global latency directly.

AWS Control Tower provides automatic account governance, centralized logging, CloudTrail aggregation, and integrates directly with AWS Security Hub, which evaluates compliance against FSBP standards. This is the lowest operational overhead AWS-native solution.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To achieve resilience across multiple Availability Zones, the architecture should use services that natively provide Multi-AZ durability and failover with minimal manual intervention. For static website content, Amazon S3 is the natural choice because it stores objects durably and is designed for high availability; it also integrates well with common web delivery patterns. For the database, the requirement is explicitly Microsoft SQL Server and resilience across AZs.

An Amazon RDS for SQL Server Multi-AZ deployment (Option B) is designed to provide high availability by maintaining a standby replica in a different Availability Zone and performing automated failover in certain failure scenarios. This meets the Multi-AZ resiliency requirement while reducing operational overhead compared to self-managed database clustering on EC2.

Option A uses RDS Custom for SQL Server, which is intended for scenarios where you need OS-level and database-level access/customization. That typically increases operational responsibility and is not the simplest “resilient Multi-AZ” answer unless the scenario demands deep customization (it does not here). Options C and D propose using EBS Multi-Attach for static content, which is not a good fit for static website assets and adds complexity; Multi-Attach is limited and does not replace object storage semantics. Option D also adds substantial operational overhead by running and managing SQL Server across EC2 instances in multiple AZs, including patching, backups, and HA configuration.

Therefore, B best meets all requirements: S3 for static object content and RDS for SQL Server Multi-AZ for resilient, managed database high availability across Availability Zones.

SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.

Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.

Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.

Implementation:

Create a KMS key with automatic rotation enabled.

Configure the S3 bucket to use SSE-KMS with the created KMS key.

Ensure CloudTrail is enabled for logging KMS key usage.

Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.

Amazon EFSwithMax I/O performance modeis designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn ' t support the high throughput needed for large, concurrent workloads.

AWS References:

Amazon EFS Performance Modes

Amazon Aurora MySQL provides:

Continuous, incremental backups to Amazon S3 with point-in-time recovery (PITR), allowing recovery to any point within the retention window (typically up to 35 days). This easily achieves an RPO of less than 5 hours, often down to seconds.

Support for database auditing parameters so audit logs can be retained and managed (for example, in database logs or external log services) to meet the 7-day audit requirement.

Auto scaling (via read replicas, Aurora Serverless v2, or capacity management) to handle variable read/write demand throughout the year with minimal operational overhead.

Why others are less suitable:

A: DynamoDB is NoSQL and does not directly satisfy typical relational database + SQL audit requirements; Streams also only retain 24 hours, not 7 days, and on-demand backups do not inherently give an RPO < 5 hours without frequent scheduling.

B: Amazon Redshift is a data warehouse, not a primary transactional application database.

C: Snapshots every 5 hours give an RPO of up to 5 hours, not less than 5 hours, and rely on discrete snapshot points rather than continuous PITR.

The IAM policy includes two statements:

1️⃣ Allow ec2:TerminateInstances on all resources

2️⃣ Deny ec2:TerminateInstances if the request does NOT come from:

192.0.2.0/24

203.0.113.0/24

AWS IAM policy evaluation rules state:

Explicit Deny always overrides Allow.

A request must meet all applicable conditions in the policy to be granted.

aws:SourceIp condition applies when IAM actions are invoked via the public AWS APIs.

In this scenario, the administrator is not originating the request from one of the allowed CIDR blocks, so the Deny condition is triggered, overriding the Allow statement.

Therefore, the operation is blocked with:

403 AccessDenied: explicit deny

This matches the behavior described in the AWS IAM Policy Evaluation Logic used in the Security Pillar of the Well-Architected Framework:

Explicit Deny > Allow > Default Deny

IP-based Conditions restrict API calls originating outside approved network ranges

Options A/B/C do not accurately reflect this explicit Deny condition behavior.

Detailed Explanation:

A. EventBridge Rule:Detects modifications to CloudFront distributions in real time and triggers the Lambda function for further action.

B. ALB + Config:Focuses on ALB security violations, not relevant for CloudFront logging changes.

C. Lambda + SNS:Provides real-time notifications about changes in logging configuration.

D. GuardDuty:Focuses on threat detection, not logging configuration changes.

E. API Gateway + WAF:Unrelated to CloudFront logging changes.

AWS Key Management Service (AWS KMS) supports multi-Region keys, which are managed customer master keys that can be replicated to multiple Regions and treated as a single logical key. This allows applications in different Regions to encrypt and decrypt data using equivalent keys while AWS handles key replication, durability, and availability.

KMS is a fully managed key service, so the company does not need to operate hardware or manage low-level key storage. Tags combined with attribute-based access control (ABAC) let you enforce fine-grained access to keys by using IAM policies and condition keys, giving centralized and flexible access control with low operational overhead.

CloudHSM (Options C and D) requires managing HSM clusters, scaling, backups, and manual key operations, which significantly increases operational burden. Importing key material in KMS (Option B) adds lifecycle complexity and is unnecessary when native multi-Region keys exist.

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

This is a classic use case for Amazon Kinesis Data Streams + OpenSearch + QuickSight:

Kinesis Data Streams: For real-time ingestion and processing

OpenSearch Service: For fast full-text search, indexing, and analysis

QuickSight: For rich dashboard visualizations

This stack is fully managed, scalable, and native to AWS, minimizing operational overhead.

AWS Auto Scaling is the right answer because the requirement is to adjust capacity automatically based on a predictable time-based usage pattern. AWS documentation states that you can use scheduled scaling actions with Amazon EC2 Auto Scaling to change desired capacity at specific times or on recurring schedules. That makes it well suited for workloads that need more capacity during the day and less at night. Spot Instances and Reserved Instances are pricing models, not automation mechanisms for scheduled capacity changes. CloudFormation provisions infrastructure but does not itself optimize day-night scaling behavior. Therefore, AWS Auto Scaling is the correct service for this requirement.

Amazon S3 Intelligent-Tiering is the most cost-effective solution for this scenario, providing both high availability and durability while adjusting automatically to changing access patterns. It moves data across two access tiers: one optimized for frequent access and another for infrequent access, based on usage patterns. This tiering ensures that the company avoids paying for unused storage while also keeping frequently accessed data in a more accessible tier.

Key AWS references and benefits ofS3 Intelligent-Tiering:

High Durability and Availability: Amazon S3 offers 99.999999999% durability and 99.9% availability for objects stored, ensuring data is always protected.

Automatic Tiering: Data is automatically moved between tiers based on access patterns, making it ideal for workloads with unpredictable or variable access patterns.

No Retrieval Fees: Unlike S3 One Zone-IA or Glacier, there are no retrieval fees, making this more cost-effective in scenarios where access patterns vary over time.

AWS Documentation: According to the AWS Well-Architected Framework under theCost Optimization Pillar, S3 Intelligent-Tiering is recommended for storage when access patterns change over time, as it minimizes costs while maintaining availability​.

Amazon RDS Proxyis the correct answer because it is specifically designed to improve connection handling for relational databases, including Aurora. AWS documentation explains that RDS Proxy providesconnection pooling, helps handleunpredictable surges in database traffic, and automatically determines the current Aurora writer instance. That reduces the stress of large numbers of short-lived connections and improves application behavior during failover events because clients reconnect through the proxy rather than directly to database endpoints. Switching database engines would be unnecessary and disruptive. DAX is for DynamoDB, not Aurora. Therefore, placingRDS Proxyin front of the Aurora cluster is the most direct way to reduce connection pressure and improve failover behavior. (AWS Documentation)

============

Option A is the most operationally efficient because it moves permissions from individual users todepartment-based IAM groups, which is easier to manage consistently at scale. AWS IAM best practices emphasize applyingleast privilegeand note that managed policies can help get started, though broad managed policies like AdministratorAccess are not least privilege in the strictest sense. Given the answer choices, placing engineering and operations users into separate groups with the appropriate policies and removing direct user-level permissions is the cleanest and most maintainable improvement. Options C and D still leave user-by-user administration, and option B is clearly over-permissive.

============

Amazon Athena provides a cost-effective, serverless way to query data without affecting the performance of DynamoDB. By using the Athena DynamoDB connector, the company can perform the necessary SQL queries without consuming read capacity on the DynamoDB table, which is essential for minimizing impact on provisioned throughput.

Key benefits:

Minimal Impact on Provisioned Capacity: Athena queries do not directly impact DynamoDB’s read capacity, making it ideal for running analytics without affecting the customer-facing workloads.

Cost-Effective: Athena is a serverless solution, meaning you pay only for the queries you run, making it highly cost-effective compared to running a dedicated cluster like Amazon EMR or Redshift.

AWS Documentation: The use of Athena to query DynamoDB through its connector aligns with AWS ' s best practices for performance efficiency and cost optimization​​.

The right solution isAPI Gateway + Lambda + Amazon Comprehend + DynamoDB. AWS documents that Amazon Comprehend is the NLP service for detecting entities, sentiment, and key phrases, which matches the workload exactly. DynamoDB is a fully managed, distributed database designed for high-throughput workloads and single-digit millisecond performance at scale, making it a strong fit for a highly available application handling many concurrent requests. The other answers misuse services: Amazon Translate is for translation, Amazon Textract is for extracting text from documents, and ElastiCache is a cache rather than the durable primary database described in the question. This makes option A the only architecture that aligns with both the NLP functions and the scalable database requirement. (AWS Documentation)

============

Amazon API Gateway supportsresource policies, which allow you to control access to your API by specifying the IP addresses or ranges that can access the API. By creating a resource policythat explicitly denies access to any IP address outside the allowed set, you can ensure that only trusted IP addresses (such as those from your internal network) can access the critical information in your API. This approach provides fine-grained access control without the need for additional infrastructure or complex configurations.

Option A (Private integration): API Gateway private integrations are for creating private APIs that are only accessible within a VPC, but this solution is about restricting access to certain IP addresses.

Option C (Private subnet and ACLs): Deploying the API in a private subnet and using network ACLs adds unnecessary complexity and isn ' t the best fit for HTTP APIs.

Option D (Security group): API Gateway doesn ' t have a security group because it isn ' t a resource inside a VPC. Instead, resource policies are the correct mechanism for controlling IP-based access.

AWS References:

Controlling Access to API Gateway with Resource Policies

This solution provides the most secure access for external support engineers with the least exposure to potential security risks.

AWS Systems Manager (SSM) and Session Manager: Systems Manager Session Manager allows secure and auditable access to EC2 instances without the need to open inbound SSH ports or manage SSH keys. This reduces the attack surface significantly. The SSM Agent must be installed and configured on all instances, and the instances must have an instance profile with the necessary IAM permissions to connect to Systems Manager.

IAM Identity Center: IAM Identity Center provides centralized management of access to the AWS Management Console for external support engineers. By using IAM Identity Center, youcan control console access securely and ensure that external engineers have the appropriate permissions based on their roles.

Why Not Other Options?:

Option B (Local IAM user credentials): This approach is less secure because it involves managing local IAM user credentials and does not leverage the centralized management and security benefits of IAM Identity Center.

Option C (Security group with SSH access): Allowing SSH access opens up the infrastructure to potential security risks, even when restricted by IP addresses. It also requires managing SSH keys, which can be cumbersome and less secure.

Option D (Bastion host): While a bastion host can secure SSH access, it still requires managing SSH keys and opening ports. This approach is less secure and more operationally intensive compared to using Session Manager.

AWS References:

AWS Systems Manager Session Manager- Documentation on using Session Manager for secure instance access.

AWS IAM Identity Center- Overview of IAM Identity Center and its capabilities for managing user access.

Lambda supports mounting an Amazon EFS file system inside your function to store larger dependencies beyond the 250 MB layer quota.

EFS automatically encrypts data in transit using TLS.

“You can configure your Lambda function to mount an Amazon EFS file system, enabling your function to access large amounts of data or large dependencies.”

“Amazon EFS automatically encrypts all data at rest and in transit.”

— Lambda with Amazon EFS

This is the least operational overhead approach.

For near-real-time streaming workloads that are highly latency-sensitive, the network layer must provide ultra-low latency and high throughput between compute nodes. Elastic Fabric Adapter (EFA) is specifically designed to meet these requirements. EFA enables EC2 instances to communicate using a high-performance network interface that bypasses traditional TCP/IP networking, providing lower and more consistent latency. This is especially valuable for tightly coupled workloads that require fast inter-node communication.

Option B is the correct choice because EFA supports custom networking stacks and is optimized for applications such as real-time data processing, distributed computing, and high-performance workloads. EFA integrates directly with supported EC2 instance types and allows applications to take advantage of enhanced networking capabilities without requiring complex multi-VPC architectures.

Option A introduces additional network hops and latency due to VPC peering and is not suitable for ultra-low-latency workloads. Option C (spread placement groups) is designed to increase fault tolerance by placing instances on separate hardware, but it does not optimize for low-latency communication and may actually increase network distance between instances. Option D improves storage performance, not network performance, and does not affect inter-instance latency.

Therefore, B is the best solution because Elastic Fabric Adapter is the AWS-recommended approach for achieving the lowest possible network latency between EC2 instances in performance-critical streaming architectures.

S3 Object Lock: Enables Write Once Read Many (WORM) protection for data, preventing objects from being deleted or modified for a set retention period.

S3 Versioning: Helps maintain object versions and ensures a recovery path for accidental overwrites.

CloudFront Distribution: Ensures secure and efficient public access by serving content through an edge-optimized delivery network while protecting S3 data with OAC.

Bucket Policy for OAC: Restricts public access to only the CloudFront origin, ensuring maximum security.

Amazon S3 Object Lock Documentation

For latency-sensitive, globally distributed applications such as online gaming, minimizing network latency between users and application endpoints is critical. AWS Global Accelerator is designed specifically for this purpose. It uses the AWS global network and Anycast IP addresses to route user traffic to the closest healthy endpoint, reducing latency and improving performance for users worldwide.

Option C is the best solution because Global Accelerator directs traffic over the AWS backbone network instead of the public internet, which significantly reduces jitter and latency. It also provides built-in health checks and automatic failover, improving availability as the service expands globally. Importantly, Global Accelerator works seamlessly with existing Application Load Balancers, allowing the company to enhance performance without redesigning the application stack.

Option A (CloudFront) is optimized for caching static and cacheable content and is not ideal for real-time, stateful gaming traffic. Option B adds unnecessary API abstraction and additional latency. Option D introduces regional duplication and DNS-based routing, which is slower to react to network conditions and does not provide the same low-latency routing as Global Accelerator.

Therefore, C meets the requirement for global expansion with the least possible latency while maintaining a simple and highly performant architecture.

AWS Shield Advanced provides:

• 24/7 access to the AWS DDoS Response Team (DRT)

• Near real-time attack visibility and metrics

• Protection for CloudFront, ALB, NLB, and Route 53

Shield Standard (Option B) does not include DDoS response team support.

WAF (Option A) provides rules-based filtering, not DDoS assistance.

Macie (Option C) is for PII discovery, not DDoS protection.

=====================================================

The SELECT INTO OUTFILE S3 feature allows you to export Amazon Aurora MySQL data directly to Amazon S3 with minimal operational overhead. This method is efficient and cost-effective for archiving historical data.

You can configure S3 Lifecycle rules to transition the exported data to lower-cost storage (e.g., S3 Glacier or S3 Standard-IA) and eventually delete it after 5 years.

No need for additional ETL tools like Glue or DataBrew unless complex transformations are required.

Application Load Balancer (ALB) supports HTTP/HTTPS layer 7 routing, including header-based routing, path-based routing, and host-based routing.

AWS WAF is designed to provide rules-based filtering (block, allow, count) of HTTP(S) requests to protect applications from common exploits and malicious traffic.

ALB integrates directly with AWS WAF, so you can attach a web ACL with custom rules defined by the security team to block specific patterns while still using header-based routing.

Why the others are not correct:

A: Mutual TLS adds client certificate authentication but does not provide rules-based blocking or WAF-style inspection.

C: AWS Config is for configuration compliance and auditing, not request filtering.

D: NLB operates at layer 4 (TCP/UDP); it does not support HTTP header-based routing.

AWS Lambda function URLs are specifically designed to give a Lambda function a simple direct HTTP(S) endpoint. AWS documentation describes function URLs as a straightforward way to invoke a Lambda function through an HTTP request, and AWS even provides a webhook tutorial built around Lambda function URLs. That makes this the most operationally efficient option because it avoids placing an ALB in front of the function or building an unnecessary messaging layer with SNS or SQS. The requirement is simply to expose the Lambda function so a third party can call it through a webhook. Function URLs are the lightest-weight AWS-native feature for that use case and provide the fastest path from webhook sender to function execution. (AWS Documentation)

============

The first step is to configure a delegated administrator account for IAM Access Analyzer at the organization level. Only after delegating the administrator account can you aggregate Access Analyzer findings from all member accounts into a designated audit account. This must be set up in the AWS Organizations management account.

AWS Documentation Extract:

“You must designate a delegated administrator for IAM Access Analyzer at the organization level. The delegated administrator account aggregates findings from all member accounts.”

(Source: IAM Access Analyzer documentation)

A, C, D: These steps do not establish the organization-wide aggregation required for Access Analyzer.

EMR managed scaling dynamically resizes the cluster by adding or removing nodes based on the workload. This feature helps minimize idle time and reduces costs by scaling the cluster to meet processing demands efficiently.

Option A:Increasing the number of core nodes might increase idle time further, as it does not address the root cause of underutilization.

Option C:Migrating the job to Lambda is infeasible for large analytics jobs due to resource and runtime constraints.

Option D:Changing to memory-optimized instances may not necessarily reduce idle time or optimize costs.

AWS Documentation References:

EMR Managed Scaling

Amazon S3 File Gateway provides a local NFS mount point, which can be used with minimal changes by the legacy application. Files are transparently uploaded to Amazon S3, allowing the web application to access them directly from S3. This is the most cost-effective and operationally simple way to bridge legacy on-premises NFS output with S3, requiring no changes to the batch process.

AWS Documentation Extract:

“With S3 File Gateway, you can provide applications a local file interface to Amazon S3. S3 File Gateway presents a file-based interface (NFS or SMB), allowing you to use S3 as your scalable, durable storage while making files available to legacy applications.”

(Source: AWS Storage Gateway documentation)

A: Outposts is far more costly and complex than needed.

B: Volume Gateway presents iSCSI block storage, not NFS.

C: Requires re-coding the legacy app to use S3 APIs, not NFS.

To achieve high availability for the website, two key actions should be taken:

Amazon RDS for MySQL Multi-AZ: By migrating the database to an RDS for MySQL Multi-AZ deployment, the database becomes highly available. Multi-AZ provides automatic failover from the primary database to a standby replica in another Availability Zone, ensuring database availability even in the case of an AZ failure.

Application Load Balancer and Auto Scaling: Deploying an Application Load Balancer (ALB) in front of the EC2 instances ensures that traffic is evenly distributed across the instances. Configuring an Auto Scaling group to run EC2 instances across multiple Availability Zones ensures that the application remains available even if one instance or one AZ becomes unavailable. This setup enhances fault tolerance and improves reliability.

Why Not Other Options?:

Option A (Internet Gateway per AZ): Internet Gateways are region-wide resources and do not need to be provisioned per Availability Zone. This option does not contribute to high availability.

Option C (DynamoDB + Auto Scaling): DynamoDB would require changes to the application code to switch from MySQL, which is not possible per the question ' s constraints.

Option D (DataSync): AWS DataSync is used for data transfer and synchronization, not for achieving high availability for a database.

AWS References:

Amazon RDS Multi-AZ Deployments- Explanation of how Multi-AZ deployments work in Amazon RDS.

Application Load Balancing- Details on how to configure and use ALB for distributing traffic across multiple instances.

AWS guidance for global, highly available, low-latency applications using a relational database recommends:

Amazon CloudFront with Amazon S3 for static content to cache data at edge locations globally and minimize latency for static assets.

A regional application tier deployed close to users using managed container services such as Amazon ECS on AWS Fargate, which removes the need to manage servers and scales automatically, reducing operational overhead.

A relational database tier using Amazon Aurora global database, which is purpose-built for globally distributed applications. Aurora global database provides a primary cluster in one Region with low-latency read replicas in secondary Regions and fast cross-Region replication, enabling low-latency reads and high availability for global users.

Option A uses only a single Region, which does not meet the “global users with low latency” requirement.

Option C uses RDS and DMS-based replication, which requires more management and does not provide Aurora’s integrated global database features.

Option D replaces the relational database with DynamoDB, which violates the requirement that the application interacts with a relational database.

The best practice to securely provide short-term access to AWS resources, such as Amazon S3, without using long-term credentials, is to use AWS Security Token Service (STS). According to the AWS IAM Best Practices and the Security Pillar of the AWS Well-Architected Framework, temporary credentials should always be used over long-term credentials when possible.

From AWS IAM Documentation:

“Use temporary credentials (IAM roles and AWS STS) instead of long-term access keys. Temporary security credentials are short-term, automatically expire, and are retrieved using AWS STS.”

(Source: IAM Best Practices – IAM User Guide)

Option D outlines the use of a trust relationship and assume-role mechanism via AWS STS. This allows the on-premises application to request temporary, scoped-down credentials to upload files to S3 securely. This approach is:

Secure – Uses short-lived credentials with least privilege

Scalable – No need for EC2 or VPN tunnels

Low Operational Overhead – No infrastructure to maintain

AWS-Recommended – Aligned with security best practices

In contrast:

Option A uses long-term credentials, which is a security risk.

Option B requires additional infrastructure (EC2, VPN), increasing complexity and cost.

Option C relies on IP-based access, which is insecure and not a form of identity-based authentication.

Key Requirements:

Host the frontend on AWS as a static website.

Protect the application from common web vulnerabilities.

Minimal operational overhead.

Analysis of Options:

Option A:

Hosting the frontend on EC2 with an ALB introduces unnecessary complexity for serving static content.

AWS WAF rules can protect the ALB, but managing EC2 instances adds operational overhead.

Incorrect Approach:High operational complexity for a simple static website.

Option B:

Amazon CloudFront:Acts as a global CDN, reducing latency and protecting against DDoS attacks.

Multiple Origins:Allows static content to be served from S3 while routing API traffic to the on-premises backend.

AWS WAF:Integrates with CloudFront to provide web application protection.

Correct Approach:Offers low operational overhead with optimal security and performance.

Option C:

Using NLB and Network Firewall is unnecessary for a static website. This approach increases cost and complexity without addressing the frontend requirements effectively.

Incorrect Approach:Over-engineered solution.

Option D:

Hosting the frontend on S3 and using API Gateway is a viable option, but managing AWS WAF rules separately for both the S3 bucket and the REST API increases complexity.

Incorrect Approach:Less efficient than using CloudFront with multiple origins.

AWS Solution Architect References:

Amazon CloudFront Overview

AWS WAF with CloudFront

Explanation (AWS Docs):

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache specifically for DynamoDB. It reduces read load and latency without requiring code changes (only SDK config). This is the least development effort.

“Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available in-memory cache for DynamoDB that delivers microsecond read performance and requires minimal application changes.”

— Amazon DAX

Amazon RDS Multi-AZ deployments provide automatic failover for relational databases such as MySQL, ensuring high availability and durability. The feature maintains synchronous replication between a primary DB instance and a standby in a separate Availability Zone. AWS guarantees that failover typically completes within minutes, ensuring an RTO and RPO of less than 2 minutes. Option A requires manual promotion of replicas, which cannot meet the strict RTO/RPO requirement. Option C depends on custom scripts and manual synchronization, introducing operational risk. Option D creates active-active EC2-based databases, which do not provide synchronous replication or automated failover. Therefore, Multi-AZ RDS (B) is the managed, resilient, and operationally efficient solution that meets the business requirements.

AWS Step Functions supports long-running workflows and error retries, making it ideal for a job composed of many tasks. Integration with EventBridge allows automatic triggering from S3 events. This setup is resilient and supports up to 1-year execution duration.

Amazon Cognito is the AWS-native user authentication service for web and mobile applications, andLambda@Edgecan run authorization logic close to users at CloudFront edge locations. AWS documentation notes that CloudFront can invoke Lambda@Edge functions at edge locations and that Cognito integrates well for user authentication scenarios. This combination fits the requirements for aserverlessauthorization/authentication architecture, low login latency, andglobal web content delivery. The other options either use services that are not ideal for this end-user web-authentication pattern or do not provide the same edge-based global delivery model. (docs.aws.amazon.com)

Amazon Athena enables serverless SQL queries directly on S3 objects, eliminating the need to download or preprocess data. EMR adds operational overhead, and API Gateway/ElastiCache are not data lake query engines.

Amazon SQS is the AWS service built to decouple producers and consumers and to absorb variable traffic. AWS documentation describes SQS as a fully managed message queue that enables decoupling and scaling of microservices and distributed systems. AWS Lambda guidance also uses SQS as the standard pattern when a downstream component may be slower than an upstream one, because the queue durably persists messages and decouples the services. That directly supports frontend responsiveness during traffic spikes. It also supports reprocessing because messages remain in the queue until consumers successfully process and delete them, and failed processing can be retried. The ALB and direct HTTPS options do not provide durable buffering. Kinesis is possible, but for decoupled order processing and retry-oriented workflows, SQS is the more natural and simpler service.

============

AWS recommends usingSystems Manager Session Managerinstead of direct SSH for administrative access because it provides browser-based or CLI-based access without bastion hosts and supports centralized audit logging. To allow private instances to reach Systems Manager without internet exposure, the VPC needs the appropriateinterface VPC endpoint. The managed instances also need the proper instance permissions, and AWS documentation points to theAmazonSSMManagedInstanceCorepolicy for that purpose. A gateway endpoint is not used for Session Manager, and attaching a user-facing Session Manager policy to the EC2 instances themselves is the wrong permission model. This makesB and Ethe most operationally efficient and secure combination. (AWS Documentation)

============

The company wants to reduce end-to-end load time for its global customer base.AWS Global Acceleratorprovides a network optimization service that reduces latency by routing traffic to the nearest AWS edge locations, improving the user experience for globally distributed customers.

AWS Global Accelerator:

Global Acceleratorimproves the performance of your applications by routing traffic through AWS’s global network infrastructure. This reduces the number of hops and latency compared to using the public internet.

By creating astandard acceleratorand configuring the existing NLBs as target endpoints, Global Accelerator ensures that traffic from users around the world is routed to the nearest AWS edge location and then through optimized paths to the NLBs in each region. This significantly improves end-to-end load time for global customers.

Why Not the Other Options?:

Option A (ALBs instead of NLBs): ALBs are designed for HTTP/HTTPS traffic and provide layer 7 features, but they wouldn’t solve the latency issue for a global customer base. The key problem here is latency, and Global Accelerator is specifically designed to address that.

Option B (Route 53 weighted routing): Route 53 can route traffic to different regions, but it doesn’t optimize network performance. It simply balances traffic between endpoints without improving latency.

Option C (Additional NLBs in more regions): This could potentially improve latency but would require setting up infrastructure in multiple regions. Global Accelerator is a simpler and more efficient solution that leverages AWS’s existing global network.

AWS References:

AWS Global Accelerator

By usingAWS Global Acceleratorwith the existing NLBs, the company can optimize global traffic routing and improve the customer experience by minimizing latency. Therefore,Option Dis the correct answer.

AmazonSES (Simple Email Service)allows for the automatic ingestion of incoming emails. By setting up email receiving in SES and creating a rule set with a receipt rule, you can configure SES to invoke anAWS Lambda functionwhenever an email is received. The Lambda function can then process the email body and attachments, saving any attachments to an Amazon S3 bucket. This solution is highly scalable, cost-effective, and provides near real-time processing of emails with minimal operational overhead.

Option B (Content filtering): This only filters emails based on content and does not provide the functionality to save attachments to S3.

Option C (S3 Event Notifications): While SES can store emails in S3, SES with Lambda offers more flexibility for processing attachments in real-time.

Option D (EventBridge rule): EventBridge cannot directly listen for incoming emails, making this solution incorrect.

AWS References:

Receiving Email with Amazon SES

Invoking Lambda from SES

The current architecture tightly couples image upload, resizing, and storage into a single synchronous workflow handled by EC2 instances. This increases upload latency and degrades user experience. The optimal solution is to decouple upload from processing and offload work to managed services.

Option C allows users’ browsers to upload images directly to Amazon S3 using presigned URLs, bypassing the EC2 web servers entirely. This significantly reduces server load, network hops, and request latency while improving scalability and performance. Presigned URLs also maintain security by granting time-limited, scoped access to S3.

Option D complements this by using S3 Event Notifications to invoke an AWS Lambda function whenever a new image is uploaded. The Lambda function performs the image resizing asynchronously and stores the processed image back in S3. This event-driven, serverless pattern eliminates tight coupling between upload and processing and ensures automatic scaling with minimal operational overhead.

Option A is unsuitable because Glacier is for archival storage and not designed for active uploads or processing. Option B still routes uploads through EC2, maintaining the bottleneck. Option E introduces unnecessary delays and inefficiency by resizing images on a schedule instead of reacting to upload events.

Therefore, C and D together provide the most performant, scalable, and operationally efficient image upload and processing architecture using AWS-native, event-driven services.

Using Amazon CloudFront in front of an ALB in a single region is a cost-effective way to deliver content with low latency across the globe. CloudFront caches content closer to the users, reducing the load on backend servers and minimizing data transfer costs by serving cached content from edge locations.

Compared to Global Accelerator, CloudFront is significantly more cost-optimized for static and dynamic content delivery. Multi-region deployments increase infrastructure and transfer costs, which violates the optimization goal. Therefore, option A provides the best mix of performance and cost efficiency.

The correct answer isAbecause the legacy mainframe requires asynchronous RESTful APIand the new service takes approximately3 minutesto complete each request. Among the choices,Amazon API Gateway REST APIis the appropriate option for exposing a synchronous REST endpoint to the mainframe. API Gateway REST APIs support longer integration timeouts than HTTP APIs, which makes them more suitable for workloads that take an extended time to process. The REST API can invoke an AWS Lambda function to execute the stock price calculation and return the result synchronously.

Option B is incorrect becauseAPI Gateway HTTP APIshave a shorter integration timeout and are not the best fit for a request that takes around 3 minutes. Option C is incorrect becauseWebSocket APIsare not RESTful and do not meet the requirement for synchronous REST-based integration with the mainframe. Option D is incorrect becauseLambda function URLsdo not provide the same API management features and are not the best choice for a long-running synchronous enterprise integration requirement of this kind.

AWS design guidance favors API Gateway when exposing managed APIs to external consumers. In this case, theREST APIoption best matches the requirement for synchronous RESTful access while supporting the longer processing duration. It also provides a managed front door for authentication, throttling, and operational control if the company needs those features later.

One note of honesty: some exam versions treat the REST API timeout detail as the deciding factor here. That is the key reasonREST APIis preferred overHTTP APIfor this question.

Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.

Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.

AWS Documentation Extract:

" Amazon S3 provides cost-effective storage for ML data sets, and Amazon SageMaker can directly access data in S3. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers, optimizing costs for changing data access patterns. "

(Source: AWS S3 and SageMaker documentation)

A, D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.

C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.

AWS WAF (Web Application Firewall): AWS WAF allows you to create custom rules to block or allow web requests based on conditions that you specify.

Web ACL (Access Control List):

Create a web ACL and associate it with the ALB.

Use IP rule sets to specify the IP addresses of the retail locations that are allowed to access the application.

Security and Flexibility:

AWS WAF provides a scalable way to manage access control, ensuring that only traffic from registered IP addresses is allowed.

You can dynamically update the IP rule sets to add or remove IP addresses as needed.

Operational Simplicity: Using AWS WAF with a web ACL is straightforward and integrates seamlessly with the ALB, providing an efficient solution for managing access control based on IP addresses.

AWS Budgetsis the native service for creating budget thresholds and sending notifications whenactualorforecastedcosts exceed those thresholds. AWS documentation states that Budgets can send alerts toAmazon SNSand supports both actual and forecasted alerts without requiring custom code. Cost Explorer is still useful for analyzing and monitoring cost trends, but Budgets is the correct alerting tool. The other options introduce unnecessary Lambda logic or misuse other services. Since the question specifically says the company does not want to build a custom solution, a budget with SNS alerts is the most direct and least operationally heavy answer.

============

Amazon S3 is the most cost-effective storage service for large and growing collections of image files, and Amazon CloudFront is the standard way to deliver those objects globally with low latency. AWS documentation states that CloudFront can use an S3 bucket as an origin and cache the objects at edge locations around the world. This reduces latency for viewers and reduces repeated load on the origin. EBS, EFS, and FSx are not the best fit for large-scale internet-facing object delivery because they are not purpose-built global object distribution services. Therefore, S3 plus CloudFront is the correct and most economical architecture for global image delivery at scale.

============

To decouple distributed workloads and improve scalability and resiliency, Amazon SQS should be used as a reliable job queue. The compute nodes (workers) can poll the SQS queue for tasks, and EC2 Auto Scaling can dynamically scale instances based on the ApproximateNumberOfMessages metric.

From AWS Documentation:

“Amazon SQS enables you to decouple application components, allowing each part to scale independently. You can scale EC2 instances automatically based on the number of messages in the queue.”

(Source: Amazon SQS Developer Guide – Scaling Consumers with Auto Scaling)

Why B is correct:

Eliminates the single point of failure (the primary coordinator).

Enables event-driven scaling based on queue depth.

Provides durability and resiliency since messages are stored redundantly.

Fully managed and integrates seamlessly with Auto Scaling policies.

Why other options are incorrect:

A: Scheduled scaling does not respond to variable workloads.

C & D: Misuse of CloudTrail/EventBridge; not intended for workload coordination.

The requirement is for workloads inside a VPC to resolve private DNS names that are hosted on-premises over a VPN connection. The most secure and AWS-recommended method to achieve this is to use Amazon Route 53 Resolver outbound endpoints with forwarding rules.

Option A enables DNS queries that originate in the VPC to be securely forwarded to on-premises DNS servers through the VPN connection. A Route 53 Resolver outbound endpoint provides elastic, managed DNS forwarding capability without exposing DNS services to the public internet. By creating a Resolver rule, the company can define which domain names (for example, internal corporate domains) should be forwarded to specific on-premises DNS IP addresses. Associating the rule with the VPC ensures only authorized VPCs can use this resolution path.

Option B is used for the opposite scenario: when on-premises systems need to resolve private DNS names hosted in AWS, not when AWS needs to resolve on-premises names. Option C is invalid because Route 53 private hosted zones can only be associated with VPCs, not directly with on-premises networks. Option D is insecure because it exposes internal service records publicly and violates the requirement for private DNS.

Therefore, A is the most secure solution because it keeps DNS resolution private, uses managed AWS infrastructure, integrates cleanly with VPN connectivity, and follows AWS hybrid DNS best practices.

Option Bis the correct solution because:

AWS Security Token Service (STS)allows the web application to request temporary security credentials that grant access to AWS resources. These temporary credentials are secure and short-lived, reducing the risk of misuse.

Using STS and IAM roles ensures scalability by enabling the application to dynamically assume roles with the required permissions for each AWS service.

Option A:Assigning IAM roles directly to instances is less flexible and would grant the same permissions to all applications on the instance, which is not ideal for a multi-service web application.Option C:AWS IAM Identity Center is used for managing single sign-on (SSO) for workforce users and is not designed for granting programmatic access to web applications.Option D:Storing long-term access keys, even in AWS Systems Manager Parameter Store, is less secure and does not scale well compared to temporary credentials from STS.

AWS Documentation References:

AWS Security Token Service (STS)

IAM Roles for Temporary Credentials

Amazon CloudFront is a highly cost-effective CDN that caches content like images and videos at edge locations globally. This reduces latency and the load on the origin S3 bucket. It is ideal for static content that is accessed by many users.

The company wants to move from an on-premises Docker environment to fully managed AWS services with persistent storage. The best fit is:

Amazon ECS with AWS Fargate launch type: This is a serverless container orchestration solution where AWS manages the underlying infrastructure, removing the need to manage EC2 or Kubernetes nodes.

Amazon EFS (Elastic File System): This is a fully managed, scalable, and shared file system for use with ECS tasks. It supports persistent storage for containers, replacing the local volumes used on-premises.

This combination (ECS + Fargate + EFS) is fully managed and requires no manual server maintenance.

Option A uses EKS with self-managed nodes, which is not fully managed.

Option C (DynamoDB) is for structured key-value storage, not for persistent file storage.

Option D uses ECS with EC2 launch type, which is not serverless and requires managing instances.

???? Reference:

Using Amazon ECS with AWS Fargate

Mounting EFS volumes in ECS tasks

The lowest-overhead answer isAPI Gateway with direct AWS service integration to DynamoDB PutItem. DynamoDB’s API includes a native PutItem action for writing an item to a table, and API Gateway supports direct AWS service integrations, which lets the web application send requests through an API layer without developers touching DynamoDB directly. This approach is scalable, reusable, and avoids managing Lambda code purely as a pass-through layer. The SQS-based design adds unnecessary queueing for a straightforward write API, and ALB is not the appropriate frontend for invoking DynamoDB actions. Therefore, direct API Gateway service integration is the cleanest design.

============

Option Ais the most automated and cost-efficient solution for exporting data to S3 for analytics.

Option Binvolves manual setup of Streams to S3.

Options C and Dintroduce complexity with EMR.

The company is already running Kubernetes, soAmazon EKSminimizes application-platform changes while moving to AWS. The application also usesAMQP, and AWS documentation states thatAmazon MQ for RabbitMQsupports AMQP 0-9-1, which preserves the messaging model better than moving to SQS. ECS and Lambda would require a bigger platform or protocol change. Running directly on EC2 adds more operational burden than using managed Kubernetes. Therefore, EKS plus Amazon MQ is the least-overhead migration path that preserves the application’s container and messaging patterns. (docs.aws.amazon.com)

============

Enabling Multi-AZ deployment for an Amazon RDS DB instance is the simplest and most effective way to improve database availability and eliminate a single point of failure. Multi-AZ deployments provide automatic failover to a standby instance in case of a failure of the primary instance. This approach is managed by AWS and only requires a modification to the existing instance, with minimal manual intervention or downtime, thus providing the least implementation effort.

Reference Extract from AWS Documentation / Study Guide:

" With Multi-AZ deployments, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). In case of a failure of the primary DB Instance, Amazon RDS automatically fails over to the standby so that database operations can resume quickly. "

Source: AWS Certified Solutions Architect – Official Study Guide, RDS High Availability section.

Amazon SQS FIFO queues are built for workloads that require both message ordering and exactly-once processing behavior. AWS documentation states that FIFO queues preserve first-in, first-out order and support deduplication so duplicate messages are not introduced within the deduplication interval. That directly satisfies the requirement for exact order and exactly-once semantics. SNS alone is a pub/sub notification service, but it does not by itself provide this exact combination as simply as an SQS FIFO queue. Standard queues allow at-least-once delivery and can deliver messages out of order, so they do not meet the requirement. MSK could be engineered to solve the problem, but it introduces far more operational overhead than a managed queue service. For the most operationally efficient serverless design, SQS FIFO is the correct answer.

============

Amazon RDS Blue/Green Deployments provide a safe and straightforward way to make database changes with minimal downtime and risk. Blue/Green deployments create an exact copy ( " green " ) of your production environment ( " blue " ) where you can make schema changes and run tests. After validation, you can promote the green environment to production with a single click or API call, achieving near-zero downtime and maximum availability. This is the AWS-recommended method for deploying major database changes in a way that minimizes impact to users and maximizes uptime.

Reference Extract from AWS Documentation / Study Guide:

" Amazon RDS Blue/Green Deployments enable you to make changes to your database environment safely. You can perform schema updates and feature testing in a fully managed staging environment and switch over with minimal downtime, ensuring the highest availability. "

Source: AWS Certified Solutions Architect – Official Study Guide, Database and Migration section; Amazon RDS Blue/Green Deployments Documentation.

AWS best practice for a highly available, resilient web application is:

Run EC2 instances in an Auto Scaling group across multiple Availability Zones.

Put an Application Load Balancer (ALB) in front of the Auto Scaling group.

Use CloudWatch alarms and scaling policies for horizontal scaling based on demand.

Option D implements exactly this: a minimum of three instances spread across AZs (resilience to AZ failure), behind an ALB, with automatic horizontal scaling. This provides both elasticity and high availability with good cost efficiency (instances scale out/in based on traffic).

Option A uses only three fixed instances and relies on vertical scaling, which does not scale as well and is less resilient.

Option B overprovisions to nine instances from the start, which is unnecessarily expensive.

Option C keeps all instances in a single AZ, which does not meet resilience requirements.

AWS documents that Amazon Macie supportsautomated sensitive data discovery, which continuously discovers and reports sensitive data in S3. AWS also documents that Macie findings can be processed automatically by usingAmazon EventBridge, including sending those events to a Lambda function for remediation or downstream processing. That combination provides continuous monitoring with low operational overhead and avoids the custom scheduling and job-launch logic in the other options. Because the question explicitly asks for continuous monitoring and low overhead, Macie automated sensitive data discovery plus EventBridge-triggered Lambda remediation is the best fit.

============

AWS Global Accelerator reduces latency by directing users to the optimal Regional endpoint based on global network health and proximity. Amazon CloudFront caches static and dynamic content at edge locations for ultra-low latency access worldwide, improving performance and reducing server load.

Analysis:

The solution must handle variable sales volumes, preserve transaction information, and store data in an Amazon Aurora database with minimal operational overhead. UsingAPI Gateway, AWS Lambda, and SQSis the best option because it provides scalability, reliability, and resilience.

Why Option A is Correct:

API Gateway: Serves as an entry point for transaction data in a serverless, scalable manner.

AWS Lambda: Processes the transactions and sends them to Amazon SQS for queuing.

Amazon SQS: Buffers the transaction data, ensuring durability and resilience against spikes in transaction volume.

Second Lambda Function: Processes messages from the SQS queue and updates the Aurora database, decoupling the workflow for better scalability.

Dead-Letter Queue (DLQ): Ensures failed transactions are logged for later debugging or reprocessing.

Why Other Options Are Not Ideal:

Option B:

Using an ALB with ECS on EC2 introduces operational overhead, such as managing EC2 instances and scaling ECS tasks.Not cost-effective.

Option C:

EKS is highly operationally intensive and requires Kubernetes cluster management, which is unnecessary for this use case.Too complex.

Option D:

Amazon Data Firehose and DMS are not designed for real-time transactional workflows. They are better suited for data analytics pipelines.Not suitable.

AWS References:

Amazon API Gateway:AWS Documentation - API Gateway

AWS Lambda:AWS Documentation - Lambda

Amazon SQS:AWS Documentation - SQS

Amazon Aurora:AWS Documentation - Aurora

AWS Global Accelerator is a service that improves global application availability and performance using the AWS global network. It supports both TCP and UDP protocols and provides optimized routing and lower latency for real-time applications such as VoIP, regardless of where the user is located globally.

AWS Documentation Extract:

" AWS Global Accelerator uses the AWS global network to optimize the path to your application endpoints, improving performance for TCP and UDP traffic, such as VoIP. "

(Source: AWS Global Accelerator documentation)

B: CloudFront accelerates HTTP/S content, not TCP/UDP.

C: Route 53 geoproximity routing is for DNS-based routing, not for traffic acceleration.

D: Network Load Balancers support TCP/UDP, but do not address global latency or provide acceleration.

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

AWS Config allows for creation of custom rules to monitor EBS configurations. Combined with CloudWatch metrics and Amazon SNS, custom rules can track over-provisioned IOPS and send alerts when thresholds are breached, allowing proactive cost and performance management.

AWS documentation states that the most secure method for granting private S3 access from VPCs is to use gateway VPC endpoints for Amazon S3. Endpoint policies enforce least privilege by allowing only specific IAM roles access to specific S3 buckets. Because users can obtain temporary credentials through IAM roles, no permanent access keys must be distributed.

S3 bucket policies based on CIDR ranges (Option B) are less secure because CIDR-based access is broader and can grant unintended access. Access points (Option C) still rely on public S3 endpoints unless combined with VPC-only access, which is not stated here. Option D exposes S3 to public internet egress and depends on public IPs, violating least-privilege principles.

=====================================================

The correct answer isDbecause the workload isinterruptible, runs for onlyup to 48 hours each week, and the company wants themost cost-effectivesolution while alsominimizing interruptions. These requirements strongly align withAmazon EC2 Spot Instances. Spot Instances provide significant savings compared with On-Demand pricing and are ideal for batch processing, analytics, and other fault-tolerant workloads that can recover from interruptions.

To minimize the chance of interruption, the best allocation strategy iscapacity-optimized. This strategy places Spot requests into the most available Spot capacity pools, which reduces the likelihood that the running instances will be reclaimed. That is more aligned with the requirement than focusing primarily on the absolute lowest price. By usinginstance type overridesin the Auto Scaling group, the company can specify multiple acceptable instance types across generations and sizes. This improves access to capacity and helps the company adoptnewer generation instancesover time without locking into a single family or type.

Option A is incorrect becauseConvertible Reserved Instancesare not as cost-effective as Spot for an interruptible workload that runs only part of the week, and a 3-year term reduces flexibility. Option B is incorrect becauseStandard Reserved Instancesare better for steady-state workloads and do not support the requirement to move to the latest generation each year as flexibly. Option C is close, butprice-capacity-optimizedbalances cost and capacity; the question prioritizes minimizing interruptions, socapacity-optimizedis the better answer.

AWS cost optimization guidance recommendsSpot Instances with a capacity-focused strategyfor fault-tolerant workloads that need low cost and fewer interruptions.

Option A: Importing customer-managed keys into AWS KMS ensures that encryption key material remains under the company’s control.

Option D: S3 Glacier with server-side encryption using customer-provided keys (SSE-C) complies with the need for controlled encryption and provides cost-effective storage for backups.

AWS Key Management Service Importing Keys Documentation,S3 Encryption Documentation

When using an SQS queue as an event source for AWS Lambda, the visibility timeout of the SQS queue plays a critical role in preventing duplicate message processing.

" If your Lambda function doesn ' t process the message and delete it from the queue within the visibility timeout period, the message becomes visible again and can be processed again by the same or another function instance. "

— AWS Lambda with SQS

In this scenario, the third-party API may take up to 60 seconds to respond. Since the Lambda function is configured with a 65-second timeout, the visibility timeout of the queue must be greater than or equal to the maximum function execution time to avoid the same message being reprocessed.

Incorrect Options:

A: Memory allocation doesn’t impact duplicate message handling.

B: Timeout is already sufficient; increasing it further does not solve the core issue.

C: Delivery delay controls initial delivery delay, not reprocessing logic.

Amazon Kinesis is the right streaming service because it ingests and processes data in real time. For the user-data store, Amazon DynamoDB is the correct database because AWS documents that DynamoDB is a serverless, fully managed, distributed NoSQL database with single-digit millisecond performance at any scale. That directly matches the durability, low-latency, and unknown-scale requirements in the question. RDS is not the most natural fit for unpredictable massive serverless scaling here, while CloudFront and Global Accelerator solve delivery and network-edge problems rather than real-time event ingestion plus low-latency persistence. For a serverless analytics application with streaming game data and highly scalable user storage, Kinesis and DynamoDB are the best pair.

============

Why Option A is Correct:

ElastiCache for Redis: Provides persistent, scalable caching for in-progress transactions and SQL queries. Redis supports data durability and advanced features, making it suitable for transactional workloads.

Integration with Aurora: Easily integrates with the Aurora cluster to improve query performance.

Why Other Options Are Not Ideal:

Option B: CloudFront and S3 are unsuitable for transactional caching. EC2 instance store volumes are ephemeral and lack persistence.

Option C: Memcached does not offer persistence or advanced transactional support, unlike Redis.

Option D: Combining Redis with EC2 instance store is unnecessary; Redis alone meets all caching requirements.

AWS References:

Amazon ElastiCache:AWS Documentation - ElastiCache

Amazon CloudFront can usemultiple originsin one distribution, including anAmazon S3 bucketfor static content and anApplication Load Balancerfor dynamic content. That lets the company reduce latency globally for both content types while keeping a single front door for users. AWS documentation specifically notes that CloudFront supports both S3 origins and load balancer origins, and a single distribution can include multiple origins. Route 53 can then alias the company’s domain to the CloudFront distribution. The Global Accelerator options are unnecessary here because CloudFront already addresses the performance need for both static and dynamic web delivery in this architecture.

============

When AWS workloads must resolve DNS names from on-premises systems over a hybrid network (like VPN or Direct Connect), the best solution is to use Amazon Route 53 Resolver outbound endpoints.

The outbound endpoint enables DNS queries to be forwarded from your VPC to on-premises DNS servers.

You must also configure a Route 53 Resolver forwarding rule to define which domain names (e.g., corp.internal) should be forwarded to the specific on-premises DNS IPs.

This setup allows private DNS resolution from AWS to on-premises systems and is fully managed, eliminating the need to run and maintain EC2-based DNS proxies (as in option A).

Options C and D are incorrect:

C is not DNS-specific and doesn’t solve name resolution.

D misuses a public hosted zone for a private DNS domain.

???? Reference:

Route 53 Resolver Outbound Endpoints

Requirement Analysis: Need secure, direct connectivity from an on-premises client to an RDS cluster, accessible only when in the office.

VPC with Private Subnets: Ensures the RDS cluster is not publicly accessible, enhancing security.

Site-to-Site VPN: Provides secure, encrypted connection between on-premises office and AWS VPC.

Implementation:

Create a VPC with two private subnets.

Launch the RDS cluster in the private subnets.

Set up a Site-to-Site VPN connection with a customer gateway in the office.

Conclusion: This setup ensures secure and direct connectivity with minimal exposure, meeting the requirement for secure access from the office.

References

AWS Site-to-Site VPN:AWS Site-to-Site VPN Documentation

Amazon RDS:Amazon RDS Documentation

Amazon CloudFront is a content delivery network (CDN) service that caches copies of your content at edge locations around the world. This helps improve performance by serving content from the edge nearest to the user. However, when the content in Amazon S3 (your origin) is updated, those updates may not immediately reflect on the website if they are cached at the CloudFront edge locations.

The issue described in the question suggests that the CI/CD pipeline is functioning correctly, and updates are being deployed to S3. However, since CloudFront caches this content, the edge locations may still be serving outdated content, causing the updates to not be reflected on the website.

To resolve this issue, you need to invalidate the CloudFront cache. By invalidating the cache, CloudFront will remove the outdated content and retrieve the latest version from the S3 origin.

AWS documentation on this process:

CloudFront cache invalidation allows you to clear items from the cache so that CloudFront retrieves the latest version from the origin. You can create invalidation requests via the AWS Management Console, AWS CLI, or SDKs.

AWS CloudFront Documentation

Why the other options are incorrect:

A. Add an Application Load Balancer: ALBs are used to distribute incoming application traffic and are not relevant to caching or serving content from CloudFront.

B. Add Amazon ElastiCache for Redis or Memcached: This would help in caching database queries but has no relation to static website content hosted on CloudFront and S3.

D. Use AWS Certificate Manager (ACM): ACM is used for managing SSL/TLS certificates and is unrelated to the issue of content not being updated on CloudFront.

Explanation (AWS Docs):

Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.

“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”

— Protecting Data Using Server-Side Encryption

Why not D?

Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.

Amazon SQS FIFO queuesensure that orders are processed in the exact order received and maintain message deduplication.

AWS Lambdascales automatically, handling bursts and maintaining high availability in a cost-effective manner.

Option A and D:Amazon SNS does not guarantee ordered processing.

Option C:Standard SQS queues do not guarantee order.

AWS Documentation References:

Amazon SQS FIFO Queues

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.

Compute Savings Plans apply to EC2, AWS Fargate, and AWS Lambda usage, maximizing coverage for mixed architectures while retaining flexibility across instance families, regions, OS, and tenancy. For private connectivity, Lambda functions must be configured with VPC access to attach ENIs in the target subnets, enabling direct network access to EC2 in private subnets (no public subnets are required for intra-VPC communication). EC2 Instance Savings Plans only discount EC2 usage and are tied to a specific instance family in a region, reducing flexibility and leaving Lambda costs undiscounted. Keeping Lambda in the service VPC prevents direct access to private EC2 without VPC configuration. Thus, a 1-year Compute Savings Plan plus connecting Lambda to the private subnets minimizes total cost and meets connectivity needs.

Compute Savings Plansoffer the most flexible and cost-effective solution for the production instances, as they provide significant savings (up to 66%) for both EC2 and AWS Lambda usage, while allowing flexibility in the type of instance family, size, and even region. For nonproduction instances, usingOn-Demand Instancesensures you only pay for the instances when they are running, and shutting them down during off-hours further optimizes cost.

Key AWS features:

Compute Savings Plans: Provide savings based on consistent usage, making it ideal for production environments with steady load.

On-Demand Instances: Suitable for nonproduction environments that are used intermittently. Shutting them down when not in use avoids unnecessary costs.

AWS Documentation: According to AWS ' s cost optimization best practices, using a combination of Savings Plans for production and On-Demand Instances for nonproduction environments that are used sparingly results in optimal cost savings​​.

A. Kinesis Data Streams:Supports high throughput, strict ordering, multiple consumers, and data retention for 365 days.

B. SNS + SQS FIFO:Can enforce ordering but lacks native support for 500 KB messages and retention requirements.

C. EventBridge:Lacks strict ordering and message size compatibility.

D. SNS + Firehose:Not designed for strict ordering or large message sizes.

IAM Access Analyzeris the correct service because AWS documents that it helps identify and reviewunused accessfor IAM users and roles across AWS accounts and organizations. It can generate findings that show where permissions are broader than necessary and can recommend narrower policies when applicable. Network Access Analyzer focuses on network reachability, not IAM over-permission. CloudWatch alarms on user activity do not analyze granted permissions, and Amazon Inspector is not the service for IAM permission-rightsizing. Since the company wants the least administrative overhead across multiple accounts managed with AWS Organizations, IAM Access Analyzer is the AWS-native service purpose-built for this kind of access review. (AWS Documentation)

============

AWS Step Functions can orchestrate Lambda executions without modifying the Lambda code, and the Map state is designed to run a Lambda function once per item in a list—perfect for activating many devices in parallel or controlled batches.

This eliminates the loop inside the Retrieve function and prevents timeouts.

EventBridge (Option A) only changes the schedule. DynamoDB Streams (Option B) is unrelated to the activation workflow. EC2 (Option D) increases operational overhead.

AWS Spot best practices recommend diversifying capacity across multiple instance types and Availability Zones and using the capacity-optimized (price-capacity-optimized) allocation strategy to choose pools with the deepest capacity for higher availability. Adding a small On-Demand base in the Auto Scaling group maintains steady, uninterrupted baseline processing while keeping costs low and absorbing Spot interruptions. Option C (lowest price) increases interruption risk. Capacity Reservations (B) target On-Demand capacity guarantees and add cost, not needed for Spot-based elasticity. Option E is redundant; diversification is already achieved with (D). This combination maximizes resiliency of Spot workloads while preserving strong cost efficiency and aligns with AWS guidance for fault-tolerant, stateless applications on Spot.

Amazon SQS FIFO queues guarantee the order of message delivery and ensure that each message is delivered exactly once. Paired with AWS Lambda, this creates a scalable, fault-tolerant architecture that processes each order in order and prevents duplicates, which is critical for ecommerce workflows.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

To capture DNS query and response data, including response codes, Amazon Route 53 provides query logging, which is the most precise and AWS-supported solution for this requirement.

Option A enables Route 53 query logging, which records detailed information about DNS queries, such as the queried domain, record type, source IP, and DNS response code. These logs are delivered to Amazon CloudWatch Logs, where administrators can search, analyze, and retain them for forensic investigation and root cause analysis.

Option B is incorrect because AWS CloudTrail records API calls to AWS services, not DNS query traffic. Option C provides aggregated metrics (such as query counts and health checks) but does not include per-query response codes. Option D offers best-practice recommendations but does not collect or analyze DNS query data.

Therefore, A is the correct solution because Route 53 query logging provides the detailed, low-level DNS visibility required for troubleshooting and operational analysis.

The correct answer isBbecause the company explicitly wants to move from amonolithic architectureto aloosely coupled architecturethat supportsindependent scaling. Refactoring the application intomicroservicesis the architectural approach that best meets that requirement. Running the microservices onAmazon ECScontainers provides a managed container orchestration platform with less operational overhead than managing a Kubernetes environment.

With microservices, separate business functions such as product catalog management and customer checkout can be deployed as individual services. Each service can scale independently based on its own traffic and performance characteristics. This is far more efficient than scaling the entire monolithic application when only one part of the system experiences increased demand.

AnApplication Load Balanceris appropriate because it can route HTTP and HTTPS traffic and supports path-based and host-based routing, which is useful for directing requests to different services. This design improves agility, performance, and operational flexibility while supporting the company’s need for growth.

Option A improves availability and scalability, but it still runs a copy of thesame monolithic applicationon multiple EC2 instances. That does not enable independent scaling of individual functions. Option C creates a basic two-tier design, but it is not a fully loosely coupled microservices architecture. Option D uses Amazon EKS but places the application into asingle container, which does not achieve independent scaling of separate components and introduces more operational complexity than necessary.

AWS architectural best practices recommend decomposing monoliths intomicroserviceswhen independent scaling, agility, and component isolation are required. Therefore,Amazon ECS with microservicesis the best solution.

Amazon FSx for Lustreis a high-performance, fully managed file system that is ideal for applications requiring low-latency access to shared storage, especially in use cases like gaming where high throughput and low latency are essential. It integrates easily with EC2 instances, providing fast and scalable shared storage, and supports custom protocols for specific application needs.

Option A (FSx File Gateway): FSx File Gateway is designed for hybrid cloud storage and is not suited for high-performance gaming workloads.

Option B (EC2 Windows instance): Setting up a file share on a Windows instance would introduce additional administrative overhead and would not provide the necessary performance.

Option C (EFS with Lustre): While Lustre is integrated with FSx, EFS does not natively support Lustre.

AWS References:

Amazon FSx for Lustre

Amazon Neptune is a fully managed graph database service optimized for storing and navigating complex many-to-many relationships like social graphs or network topologies.

It supports Gremlin and openCypher queries that allow efficient traversal of connections even multiple levels deep. SQL JOINs (Athena or RDS) are inefficient for deep relationship queries due to exponential complexity.

QuickSight is used for data visualization, not graph traversal.

The most cost-effective general solution isDynamoDB auto scaling. AWS recommends atarget utilization of 70%for provisioned throughput with auto scaling, which lets DynamoDB adjust capacity up or down based on sustained workload patterns. That improves both read and write performance while controlling cost better than manual scaling. A GSI is only useful for specific alternate query patterns and does not solve overall throughput management by itself. DAX helps only with read-heavy caching, not writes. A custom CloudWatch-plus-Lambda scaling solution adds unnecessary operational work compared to native auto scaling. Because the question asks broadly for read and write performance at the best cost, auto scaling with the recommended 70% target is the strongest answer.

============

Stopping the DB instance is the most cost-effective option among the choices because it preserves the database for later restart without continuously paying for compute. AWS documents that a stopped RDS DB instance retains its metadata and can be restarted when needed, and that stopped instances automatically restart after 7 days. In practice, this means the company can periodically stop and restart the instance as required for short testing windows. The other options introduce unnecessary rebuild work or architecture changes. While the question wording includes both stop-db-cluster and stop-db-instance, the practical intent is clearly to stop the RDS MySQL instance temporarily and restart it when needed.

============

S3 Block Public Access only blocks public access—not explicitly allowed access.

An S3 bucket policy can explicitly permit access only from specific source IP addresses using the aws:SourceIp condition. This allows secure, direct HTTP access to the S3 object from known firewall IP addresses.

Static website hosting (Option A) requires the bucket to be public and is blocked by the enabled S3 Block Public Access setting.

CloudFront with OAC (Option C) is unnecessary and adds cost and complexity.

Lambda (Option D) introduces operational overhead and is not needed since S3 policies can enforce IP restrictions directly.

To process each form exactly once and ensure no data is lost, using an Amazon SQS FIFO (First-In-First-Out) queue is the most appropriate solution. SQS FIFO queues guarantee that messages are processed in the exact order they are sent and ensure that each message is processed exactly once. This ensures data consistency and reliability, both of which are crucial for processing user-submitted forms without data loss.

SQS acts as a buffer between the web application server and the worker tier, ensuring that submitted forms are stored reliably and forwarded to the worker tier for processing. This also decouples the application, improving its scalability and resilience.

Option B (API Gateway): API Gateway is better suited for API management rather than acting as a message queue for form processing.

Option C (SQS Standard Queue): While SQS Standard queues offer high throughput, they do not guarantee exactly-once processing or the strict ordering needed for this use case.

Option D (Step Functions): Step Functions are useful for orchestrating workflows but add unnecessary complexity for simple message queuing and form processing.

AWS References:

Amazon SQS FIFO Queues

Decoupling Application Tiers Using Amazon SQS

The requirement is for immediate processing of uploaded videos and prompt notification to users. According to AWS best practices for event-driven architectures, using S3 event notifications to trigger a Lambda function upon an object creation (upload) is the optimal solution for real-time processing. Lambda can process the file as soon as it is uploaded, ensuring low latency. Once processing is complete, Lambda can save the processed file back to S3 and use Amazon SNS to notify the user.

This approach uses managed services with minimal operational overhead, is scalable, and ensures event-driven processing with instant user feedback. AWS Amplify primarily facilitates application development and hosting but does not natively provide direct push notification support for this backend workflow; instead, SNS is designed for such notification scenarios.

Reference Extract from AWS Documentation / Study Guide:

" Amazon S3 can publish events to AWS Lambda when objects are created. AWS Lambda runs code in response to events and can interact with other AWS services. Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients. "

Source: AWS Certified Solutions Architect – Official Study Guide, Event-driven Architectures section; AWS Lambda Developer Guide (S3 triggers); Amazon SNS User Guide.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is toprevent data deletion by any user, including administrators, for 7 years while allowing automatic deletion afterward.

S3 Object Lock in Compliance Mode (Correct Choice - C)

Compliance mode ensures that even the root user cannot delete or modify the objects during the retention period.

After 7 years, the S3 Lifecycle policy automatically deletes the objects.

This meets bothimmutability and automatic deletionrequirements.

Governance Mode (Option B - Incorrect)

Governance mode prevents deletion,but administrators can override it.

The requirement explicitly states thateven administrators must not be able to delete the data.

S3 Bucket Policy (Option A - Incorrect)

An S3 bucket policy candeny deletes, but policies can be modified at any time by administrators.

It does not enforce strict retention like Object Lock.

S3 Batch Operations Job (Option D - Incorrect)

A legal hold does not have an automatic expiration.

Legal holds must be manually removed, which is not efficient.

Why Option C is Correct:

S3 Object Lock in Compliance Mode prevents deletion by all users, including administrators.

The S3 Lifecycle policy deletes the data automatically after 7 years, reducing operational overhead.

Provisioned IOPS SSD (io1 or io2) volumes are designed to deliver predictable, high performance for I/O-intensive workloads such as databases. They offer consistent, low-latency performance and durability, making them ideal for business-critical applications that cannot tolerate latency or data loss.

ElastiCache for Redis OSS supportsMulti-AZ with automatic failover, which is exactly the feature required here. AWS documentation states that when Multi-AZ is enabled and the primary node fails, ElastiCache automatically promotes a read replica to primary, minimizing downtime and restoring write capability without requiring manual promotion steps. Backups are useful for recovery, but they do not provide automatic operational failover. A design that depends on manual promotion is also weaker than native automatic failover. Since the question explicitly asks for a solution that canautomatically fail over, the correct answer is to enableMulti-AZfor the replication group.

============

Business-critical applications often require predictable, low-latency I/O and high durability. Provisioned IOPS SSD (io1 or io2) Amazon EBS volumes are specifically engineered for these workloads.

Option C provides consistent, high-performance storage with guaranteed IOPS and low latency. EBS volumes are network-attached and persist independently of the EC2 instance lifecycle, ensuring durability and data protection. Provisioned IOPS volumes are commonly used for databases, transactional systems, and latency-sensitive applications.

Option A (instance store) offers low latency but is ephemeral and loses data on instance stop or failure. Option B is in-memory caching and not durable storage. Option D is optimized for large, sequential workloads and does not provide consistent low latency.

Therefore, C is the correct choice because it delivers the required performance, durability, and reliability for mission-critical applications.

IAM Roles for Service Accounts (IRSA): IRSA allows you to associate an IAM role with a Kubernetes service account. This enables pods to assume the IAM role and access AWS resources securely.

Annotating Service Accounts: By annotating Kubernetes service accounts with the ARN of the IAM role, you establish the association required for IRSA.

OIDC Identity Provider: EKS clusters use OpenID Connect (OIDC) to authenticate service accounts. Setting up a trust relationship between the IAM role and the OIDC provider allows the Kubernetes service account to assume the IAM role.

This solution meets the requirement of encrypting each customer’s data separately with the least operational overhead by leveraging AWS Key Management Service (KMS).

Separate AWS KMS Keys: By creating separate KMS keys for each customer, you can ensure that each customer’s data is encrypted with a unique key. This approach satisfies the compliance requirement for separate encryption and provides fine-grained control over access to the keys.

Granular Access Control: AWS KMS allows you to define key policies and use IAM policies to grant specific permissions to the keys. This ensures that only authorized users or services can access the keys, thereby maintaining the principle of least privilege.

Logging and Monitoring: AWS KMS integrates with AWS CloudTrail, which logs all key usage and management activities. This provides an audit trail that is essential for meeting compliance requirements.

Why Not Other Options?:

Option A (Store keys in S3): Storing keys in S3 is not recommended because it does not provide the same level of security, access control, or integration with AWS services as KMS does.

Option B (Hardware security appliance): Deploying a hardware security appliance adds significant operational overhead and complexity, which is unnecessary given that KMS already provides a secure and centralized key management solution.

Option C (Single KMS key for all data): Using a single KMS key does not meet the requirement of encrypting each customer ' s data separately.

AWS References:

AWS Key Management Service (KMS)- Overview of KMS, its features, and best practices for key management.

Using AWS KMS for Multi-Tenant Applications- Guidance on how to design applications using KMS for multi-tenancy.

EBS Elastic Volumes allow you to dynamically increase storage size, adjust performance, and change volume types without downtime, supporting operational efficiency and scalability for SaaS applications that need to allocate varying storage amounts to customers.

Migrating from EBS to S3 (Option A) is not suitable since S3 is object storage, not block storage, and does not support block-level I/O required by many applications. EFS (Option B) and FSx (Option C) are shared file systems, which might add unnecessary complexity and cost, especially if the application depends on block storage semantics.

Using Lambda to automate Elastic Volumes resizing provides cost efficiency by allocating resources on demand and reduces operational overhead, aligning with AWS operational excellence and cost optimization best practices.

CloudFront requires ACM certificates to be created in us-east-1. Origin Access Control (OAC) securely allows CloudFront to upload objects to S3 without exposing the bucket publicly. Transfer Acceleration and S3 website endpoints are unnecessary or incompatible for this use case.

SAML 2.0-based federation allows organizations to integrate their on-premises Active Directory with AWS, enabling Single Sign-On (SSO) for AWS Management Console and AWS CLI/API access. This lets users continue using their existing AD credentials, removing the need to manage separate identities for AWS and on-premises systems. Mapping roles to AD groups provides granular access control and seamless management.

Reference Extract from AWS Documentation / Study Guide:

" AWS supports SAML 2.0 for federated access, enabling integration with Active Directory or other identity providers to provide single sign-on to AWS resources without creating separate IAM users. "

Source: AWS Certified Solutions Architect – Official Study Guide, Identity and Access Management section.

Amazon S3 supports one Lifecycle configuration per bucket that can contain multiple rules. Lifecycle rules can include filters, including object size filters: ObjectSizeGreaterThan and ObjectSizeLessThan. You can combine rules so that one targets large objects and another provides a default expiration. Here, configure Rule 1 with a size filter ObjectSizeGreaterThan = 1 TB and Expiration = 2 days (48 hours) to purge very large videos early. Configure Rule 2 with Expiration = 7 days without a size filter to serve as a catch-all maximum retention for all objects. Options B and D are invalid because S3 does not allow multiple Lifecycle configurations per bucket. Option C cannot distinguish large files; it would delete all files at the same schedule without honoring the 48-hour policy for > 1 TB objects. This single configuration with two rules meets both retention targets with minimal overhead and full S3-native capability.

The issue is most likely that messages become visible in the queue again before Lambda finishes processing them. AWS documents that when Lambda polls SQS, messages remain hidden only for the queue’s visibility timeout, and if they are not deleted before that timeout expires, they can be retrieved again and reprocessed. AWS specifically recommends setting the SQS visibility timeout to at least six times the Lambda function timeout, and if a batch window is used, to add that value as well. Long polling reduces empty receives but does not prevent duplicate processing. Changing to FIFO is unnecessary here, and deleting messages before successful processing risks data loss.

============

To securely publish messages to an encrypted Amazon SNS topic, the following steps are required:

A. Resource policy for SNS topic:Ensures that the Lambda function is explicitly allowed to publish messages to the topic.

C. Resource policy for KMS key:Provides the necessary permissions to use the customer-managed key for encryption.

F. Lambda execution role:Grants the Lambda function the necessary IAM permissions to use the encryption key.

Other options:

Bis invalid because using SSE-KMS does not eliminate the need for resource policies.

Doverlaps with A, but specifying the ARN in the topic policy is covered by creating the resource policy.

Eis unrelated as API Gateway is not required for this setup.

AWS Documentation Reference:

Amazon SNS and KMS Permissions

AWS STS is the best choice because it issuestemporary security credentialsthat expire automatically, which removes the need to create and later deactivate long-lived IAM users. AWS guidance for third-party and short-term access explicitly recommends roles and temporary credentials instead of sharing long-term credentials. Using predefined IAM roles also makes it easy to assign different permission levels to different contractors while keeping access centrally controlled. IAM users create more administrative effort and leave credential-lifecycle management to the company. AWS Config and CloudTrail are useful for governance and auditing, but they are not the primary mechanism for granting short-term role-based access. Therefore, STS with predefined roles is the most secure and lowest-overhead solution.

============

EBS gp3 volumes allow you to independently configure IOPS and throughput, up to 16,000 IOPS, regardless of the volume size, and at a lower cost compared to io1/io2 provisioned IOPS volumes. This meets the requirement for cost-effective, predictable IOPS performance for Amazon RDS for PostgreSQL.

AWS Documentation Extract:

" With gp3 volumes, you can provision performance independent of storage capacity, up to 16,000 IOPS. This allows for cost-effective scaling for applications that require high performance at a lower price point compared to io1. "

(Source: Amazon EBS documentation, gp3 Volumes)

A: gp2 ties IOPS to volume size; 5 TiB is wasteful if only 15,000 IOPS are needed.

B: io1 works but is significantly more expensive than gp3 for most workloads.

D: Magnetic volumes do not support high IOPS.

To ensure ALB access only via CloudFront, AWS prescribes restricting the origin to traffic from CloudFront. For ALB origins, the standard pattern is to allow inbound to the ALB only from CloudFront edge IP ranges using security groups or ALB listener rules. Network ACLs are coarse and stateless and add operational burden. CloudFront does not have a “VPC origin” object; instead, CloudFront references the ALB DNS name. By limiting the ALB’s security group to CloudFront IP ranges, direct client access to the ALB is blocked while CloudFront remains permitted. This aligns with security best practices to “restrict origin access to only CloudFront” and use SGs for instance/ALB layer controls.

Amazon DynamoDB supports Time to Live (TTL), which automatically and asynchronously deletes expired items based on a timestamp attribute. TTL is ideal for automatic data expiration with very low operational overhead.

In this scenario:

When a user requests deletion, the system can calculate an expiration timestamp one month in the future.

A Lambda function is used once per request to write or update the item’s TTL attribute to that timestamp (Option C).

DynamoDB TTL then automatically removes the item after the expiration time. Deletion typically occurs within 48 hours of the TTL timestamp, which satisfies the “within one month” requirement.

This approach offloads the actual deletion to DynamoDB and avoids building complex orchestration or periodic cleanup jobs.

Options A, B, and D add unnecessary components (EventBridge, streams, AWS Config, and Lambda-based deletion workflows) on top of TTL or custom logic, increasing operational overhead without providing additional value for the given requirement.

SSE-KMS (Server-side encryption with AWS Key Management Service) not only encrypts data at rest but also integrates with AWS CloudTrail to provide detailed logs of key usage — meeting the audit requirement.

“SSE-KMS provides the ability to audit key usage to see who used the key and when, via AWS CloudTrail.”

— Amazon S3 Encryption Documentation

Benefits:

Encryption with customer-managed or AWS-managed KMS keys

Audit trails of key usage events

Fine-grained access control

Incorrect Options:

A: SSE-S3 does not support auditing of key usage.

C: SSE-C does not integrate with CloudTrail or KMS.

D: Self-managed keys require external key infrastructure and custom audit logging.

The lowest-overhead centralized access model is to connect the existingon-premises Active Directoryby usingAD Connectorand then manage AWS account access throughIAM Identity Center permission sets. AWS documentation explains that IAM Identity Center providesone place to assign permissions to multiple AWS accounts, and AD Connector is specifically designed to let AWS services use an existing directory without storing directory information in AWS. This approach preserves the company’s current authentication source and adds centralized authorization across the organization. Creating IAM users or scripting cross-account role assignments would add significant administrative work and weaken the identity model.

============

AWS Fargate runs containers without managing servers, and ECS Service Auto Scaling adjusts the number of tasks based on demand. Behind an Application Load Balancer, ECS services elastically scale out to handle concurrent long-running requests. This fits workloads with processing times of 5–20 minutes per request. Lambda (C, D) has a maximum 15-minute timeout, so a portion of requests would fail or require complex refactoring and orchestration. Option B relies on vertical scaling and manual intervention, leaving capacity idle and failing to scale automatically with spikes. By containerizing the app and running on ECS with Fargate, the company gains automatic scaling, isolation per task, and no instance management, ensuring reliable throughput as request volume grows while keeping operations minimal.

To track costs by department, you must activate the custom department tag as a cost allocation tag in the AWS Organizations management account. Once activated, Cost Explorer and cost and usage reports can group costs by this tag for all linked accounts. The most operationally efficient way is to activate only the relevant department tag and create a cost and usage report grouped by that tag.

AWS Documentation Extract:

“To use a tag for cost allocation, you must activate it in the AWS Billing and Cost Management console. After activation, you can use the tag to group costs in Cost Explorer and reports.”

(Source: AWS Cost Management documentation)

A, E: aws:createdBy is not related to department cost grouping and is unnecessary.

B: Applying extra filters is optional; D is more direct and operationally efficient.

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

The correct answer isBbecause the company already runs the application onKubernetes, and the application usesAMQPto communicate with a message queue. Amazon EKS is the AWS managed Kubernetes service, so migrating the containerized workload toAmazon EKSallows the company to preserve its existing Kubernetes-based deployment model while reducing the operational burden of managing the Kubernetes control plane. This is the most straightforward migration path for a Kubernetes application and avoids the need for significant re-architecture.

The messaging requirement is equally important. Because the application specifically usesAMQP, the best AWS managed service isAmazon MQ, which supports industry-standard messaging protocols including AMQP. This means the company can migrate the application with minimal code changes and without replacing the messaging pattern already built into the application.

Option A is incorrect becauseAmazon SQSdoes not support AMQP and would require application changes. Option C is incorrect because running the application on EC2 instances creates more infrastructure management overhead than using a managed container orchestration service. Option D is incorrect because AWS Lambda is not a natural fit for an existing containerized Kubernetes application that depends on AMQP-based messaging, and SQS again does not satisfy the AMQP requirement.

AWS architectural best practices favor managed services that minimize undifferentiated operational work.Amazon EKSreduces Kubernetes control plane management, andAmazon MQpreserves protocol compatibility. Together, they provide the required scalability on AWS with the least operational overhead while supporting the company’s current architecture.

AWS Key Management Service (AWS KMS) provides multi-Region keys, allowing the same key to be used across Regions without managing your own hardware or key replication.

Multi-Region keys are fully managed and support attribute-based access control (ABAC) using tags and condition keys.

CloudHSM (Options C and D) requires full key lifecycle management, synchronization, and hardware operations, resulting in significantly higher overhead.

Imported key material (Option B) increases key-management responsibility.

=====================================================

A. Mutual TLS:Provides secure communication but does not integrate with AWS credential exchange.

B. AWS Signature v4:Requires direct integration with AWS and is less secure for external systems.

C. Kerberos:Not natively supported for AWS API authentication.

D. IAM Roles Anywhere:Enables AWS API access using X.509 certificates without long-term credentials.

Amazon Transcribe supports automatic speech recognition (ASR) with speaker diarization (i.e., multiple speaker identification). The transcripts can be stored in Amazon S3 and queried using Amazon Athena, which provides a serverless, pay-as-you-go interactive querying model.

This solution meets the company ' s requirements with minimal administrative overhead and ensures security and ease of management.

AWS AppConfig: AWS AppConfig is a service designed to manage application configuration in a secure and validated way. It allows you to deploy configurations safely and quickly without affecting the application ' s performance or availability.

AWS Secrets Manager: AWS Secrets Manager is specifically designed to manage, retrieve, and rotate credentials for databases and other services. It integrates seamlessly with AWS services like Amazon RDS, making it an ideal solution for securely storing and retrieving database credentials. Secrets Manager also provides automatic rotation of credentials, reducing the operational burden.

Why Not Other Options?:

Option B (AWS Lambda + Parameter Store): While AWS Lambda can be used for managing configurations and AWS Systems Manager Parameter Store can store credentials, this approach involves more manual setup and does not offer the same level of integrated management and security as AppConfig and Secrets Manager.

Option C (Encrypted S3 Configuration File): Storing configuration and credentials in S3 files involves more manual management and security considerations, increasing the administrative overhead.

Option D (AppConfig + RDS for credentials): RDS is not designed for storing application credentials; it ' s better suited for managing database instances and their configurations.

AWS References:

AWS AppConfig- Describes how to use AWS AppConfig for managing application configurations.

AWS Secrets Manager- Provides details on securely storing and retrieving credentials using AWS Secrets Manager.

The correct answer isAbecause the company wants engineers to reach aspecific development EC2 instancethrough aRoute 53 hosted zone, while ensuring that traffic continues to route correctlyeven if the development instance is replaced. The best way to achieve this is to point the Route 53 record for the development website to theApplication Load Balancerand then configure anALB listener rulethat forwards requests for the development hostname to adedicated target groupcontaining the development instance.

This design works well because the ALB provides a stable endpoint, and Route 53 can alias the development DNS name to the ALB. If the development EC2 instance is replaced, the target group can simply register the new instance. The DNS record does not need to change, and engineers continue to use the same development URL. This minimizes operational effort and supports automatic continuity.

Option B is incorrect because using a public IP address for a specific instance does not automatically handle instance replacement unless additional manual steps are taken. Option C is incorrect because redirecting users to a public IP is not the intended design and introduces unnecessary exposure and management complexity. Option D is incorrect because placing all instances in the same target group would not ensure that requests for the development website are sent only to the specific development instance.

AWS best practices favor usingload balancers and target groupsas stable routing layers rather than binding DNS names directly to ephemeral instance IP addresses. Therefore, the most reliable and maintainable solution is to useRoute 53 + ALB + a dedicated target groupfor the development instance.

For a large-scale multi-account AWS environment with many VPCs and centralized Direct Connect, AWS recommends using a Transit Gateway (TGW) architecture combined with a Direct Connect gateway (DXGW). This setup allows scalable, centralized connectivity between on-premises and multiple VPCs across accounts.

Step B: Creating a Direct Connect gateway and Transit Gateway in a central network account and connecting them via a transit VIF enables the on-premises network to access all connected VPCs.

Step D: Sharing the transit gateway with other accounts via AWS Resource Access Manager (RAM) allows the central TGW to attach VPCs in multiple accounts, simplifying multi-account connectivity.

Step F: To route cloud resources’ internet traffic back through the on-premises data center (for centralized egress), provisioning only private subnets and routing outbound internet traffic through NAT or firewall services in the data center is necessary. This requires configuring transit gateway and customer gateway routes appropriately.

Option A is partially correct in the use of Direct Connect gateway but association proposals are not scalable for hundreds of VPCs and accounts compared to transit gateway. Option C (internet gateway) is irrelevant here as traffic egress is required via on-premises data center, not directly to the internet. Option E (VPC peering) is not scalable for hundreds of VPCs.

The best AWS-native design isAmazon Kinesis Data Streamsfor real-time ingestion andAmazon OpenSearch Servicefor near-real-time search and analytics. AWS describes OpenSearch Service as a managed search and analytics engine for real-time application monitoring and similar use cases, and AWS also provides architectures for delivering real-time data from Kinesis into OpenSearch. QuickSight is then appropriate for dashboards and visualizations. The other answers either introduce more operational overhead or use services that are not the best fit for real-time search workloads. For an on-premises search application moving to AWS, Kinesis plus OpenSearch is the most natural managed solution.

============

Key Requirements:

Protect public endpoints (CloudFront distributions and ALBs) frommalicious attacks.

Centralizedmanagementacross multiple accounts in an organization.

Ability tomonitor security configurationseffectively.

Minimizeoperational overhead.

Analysis of Options

Option A:

AWS WAF:Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

AWS Firewall Manager:Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

AWS Config:Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.

Operational Overhead:Centralized management and automated monitoring reduce the operational burden.

Correct Approach:Meets all requirements with the least overhead.

Option B:

This approach involves applying WAF rules in each account manually.

While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

Incorrect Approach:Higher overhead compared to centralized management with AWS Firewall Manager.

Option C:

Similar to Option A but includesAmazon Inspector, which is not designed for monitoring WAF configurations.

AWS Security Hubis appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

Incorrect Approach:Adds unnecessary complexity and does not focus on monitoring WAF specifically.

Option D:

AWS Shield Advanced:Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

AWS Config:Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

Incorrect Approach:Does not address the need for WAF or centralized rule management.

Why Option A is Correct

Protection:

AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

Centralized Management:

AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

Monitoring:

AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

Operational Overhead:

Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

AWS Solution Architect References

AWS WAF Documentation

AWS Firewall Manager Documentation

AWS Config Best Practices

AWS Organizations Documentation

Amazon Data Lifecycle Manager (DLM) automates the creation, retention, and deletion of EBSsnapshots. This allows organizations to define policies that ensure snapshots are only kept as long as needed, reducing costs automatically and minimizing manual effort. AWS recommends using DLM for optimizing storage and managing backup lifecycle with minimal overhead.

The workload described is event-driven, low volume, and sporadic, making serverless architecture the most cost-effective choice. AWS Lambda, when triggered by S3 event notifications, runs only when new photos are uploaded and incurs cost only for execution time.

Option C uses S3 event notifications to invoke a Lambda function whenever a new object is created. The Lambda function generates a thumbnail and uploads it to a second S3 bucket. This solution requires no servers, no scheduling, and no idle compute costs, making it extremely cost-efficient for 150 uploads per day.

Options A and B involve running long-lived compute resources that would remain idle most of the time, resulting in unnecessary cost. Option D is invalid because S3 Storage Lens is designed for storage analytics and reporting, not event-driven processing.

Therefore, C is the most cost-effective and operationally efficient solution.

A & B. GuardDuty:Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets.

C. Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.

D. Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.

Amazon Neptune: Neptune is a fully managed graph database service that is optimized for storing and querying highly connected data. It supports both property graph and RDF graph models, making it suitable for applications that need to analyze relationships between data entities.

Neptune Streams: Neptune Streams captures changes to the graph and streams these changes to other AWS services. This is useful for applications that need to monitor and respond to changes in real-time, such as providing recommendations based on user interactions and relationships.

Least Operational Overhead: Using Neptune Streams directly with Amazon Neptune ensures that the solution is tightly integrated, reducing the need for additional components and minimizing operational overhead. This integration simplifies the architecture by eliminating the need for a separate service like Kinesis for change processing.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

Amazon Macie is the AWS managed service specifically built to discover, classify, and protect sensitive data in Amazon S3, including many common types of personally identifiable information (PII). Macie uses automated analysis and machine learning to identify sensitive data patterns at scale and produces findings that can be reviewed, prioritized, and integrated into security workflows. Because the environment spans hundreds of buckets, millions of objects, and multiple Regions, the key requirement is to minimize operational overhead while achieving broad coverage.

Option C is therefore the best fit: enabling Macie and configuring it to evaluate the targeted buckets provides a centralized, managed approach without building custom scanners, maintaining parsing logic, or operating distributed processing pipelines. Macie is designed for large-scale S3 estates and reduces ongoing maintenance compared with bespoke solutions.

Option A is incorrect because Amazon Detective is used to investigate and analyze security findings and relationships, not to classify S3 object content for PII. Option B is incorrect because Trusted Advisor provides best-practice checks (cost, security posture items, limits), but it does not inspect S3 object contents to detect PII. Option D would require building and operating custom Lambda scanning across millions of objects, handling pagination, retries, file types, performance tuning, and cost controls—high operational overhead and ongoing maintenance, which the company wants to avoid.

Therefore, C meets the requirement most directly and with the least operational burden by using the AWS service purpose-built for PII discovery in S3.

The correct answer isAbecause the application is aglobal Voice over IPworkload that needslow latency,high availability, andautomated failover across AWS Regions.AWS Global Acceleratoris specifically designed to improve the availability and performance of global applications by routing user traffic over the AWS global network to the optimal healthy endpoint. It usesstatic Anycast IP addresses, which means users connect through fixed IP addresses that do not depend on client-side DNS or IP address caching behavior.

This is especially valuable for latency-sensitive applications such as Voice over IP, where rapid routing decisions and fast failover are critical. Global Accelerator continuously monitors endpoint health and can automatically direct traffic to healthy endpoints in another AWS Region if a failure occurs. This supports the requirement for cross-Region failover with minimal disruption.

Option B is incorrect becauseRoute 53 geolocation routingdirects traffic based on user location, but DNS-based routing can be affected by client-side caching and does not provide the same performance acceleration or fast failover behavior as Global Accelerator. Option C is incorrect becauseAmazon CloudFrontis primarily a content delivery network for HTTP and similar content distribution scenarios, not the preferred service for real-time Voice over IP traffic. Option D is incorrect because anApplication Load Balancerdoes not by itself provide global routing or multi-Region failover.

AWS best practices for global, latency-sensitive applications recommendAWS Global Acceleratorwhen the goal is to improve performance, use the AWS backbone network, and provide health-based failover without depending on DNS cache expiration. Therefore,AWS Global Accelerator with health checksis the best solution.

Converting the existing DynamoDB table to aglobal tableprovides active-active replication and low-latency reads and writes in both Regions. DynamoDB global tables are specifically designed for multi-Region and multi-active use cases.

Option A:GSIs do not provide multi-Region replication or active-active capabilities.

Option B and D:Using DynamoDB Streams and custom replication is less operationally efficient than global tables and introduces additional complexity.

AWS Documentation References:

DynamoDB Global Tables

Amazon Aurora PostgreSQL with Babelfish allows Aurora to understand SQL Server T-SQL and the SQL Server wire protocol. This enables applications to continue using SQL Server drivers, minimizing code changes (Option B).

Migration of schema and data is performed using AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) (Option C), which is the AWS-recommended migration pattern for heterogeneous database migrations.

AWS DMS (Option E) does not rewrite application SQL.

RDS Proxy (Option D) does not translate SQL Server protocols.

Option A requires rewriting application queries, which contradicts the “minimal changes” requirement.

To track costs associated with different teams within a single AWS account, the company should implement user-defined cost allocation tags.

Tagging Resources with CostCenter: Assign the CostCenter tag to all resources, specifying the appropriate value for each team. This practice enables the organization to categorize and track AWS costs effectively.

Activating the CostCenter Tag: After tagging resources, activate the CostCenter tag in the AWS Billing and Cost Management console. Activation is necessary for the tags to appear in cost allocation reports and AWS Cost Explorer.

By following these steps, the company can generate detailed billing reports that break down costs by team, facilitating better cost management and accountability.

A. API Gateway + DynamoDB:Provides high scalability, low latency, and seamless integration with Amazon Comprehend for NLP tasks.

B. HTTP API + Translate + ElastiCache:Translate is not relevant for NLP tasks like sentiment analysis or entity recognition. ElastiCache is unsuitable for permanent storage.

C. SQS + EC2 + RDS:Increases complexity and operational overhead. RDS may not scale effectively for high concurrent loads.

D. WebSocket API + Textract:Textract is irrelevant for NLP tasks. WebSocket API is not the optimal choice for this use case.

Workload Discovery on AWS is a tool that automatically discovers AWS resources across multiple accounts and Regions and builds visual architecture diagrams that show resource relationships. It is specifically designed to help teams understand and document existing workloads with minimal manual effort.

This service provides multi-account visibility, relationship mapping, and exportable diagrams, which directly satisfies the need to “build and map the relationship details of the various workloads” with the least operational overhead.

Systems Manager Inventory (Option A) focuses on collecting configuration and inventory data (primarily for instances and some resources) and does not generate architecture diagrams or full relationship views.

Step Functions (Option B) and X-Ray (Option D) would require custom collection and manual diagramming and are not purpose-built for environment discovery and mapping.

To securely integrate Amazon S3 with an application that uses Amazon Cognito for user authentication, the following two steps are essential:

Step 1: Create an Amazon Cognito Identity Pool (Option A)

Amazon Cognito Identity Poolsallow users to obtain temporary AWS credentials to access AWS resources, such as Amazon S3, after successfully authenticating with the Cognito user pool. The identity pool bridges the gap between user authentication and AWS service access by generating temporary credentials using AWS Identity and Access Management (IAM).

Once a user logs in using theCognito User Pool, the identity pool providesIAM roles with specific permissionsthat the application can use to access S3 securely. This ensures that each user has appropriate access controls while accessing the S3 bucket.

This is a secure way to ensure that users only have temporary and least-privilege access to the S3 bucket for their documents.

Step 2: Create an Amazon S3 VPC Endpoint (Option C)

By creating anAmazon S3 VPC endpoint, the company ensures that communication between the application (which is hosted in a private subnet) and the S3 bucket occurs over theAWS private network, without the need to traverse the internet. This enhances security and prevents exposure of data to public networks.

TheVPC endpointallows the application to access the S3 bucket privately and securely within the VPC. It also ensures that traffic stays within the AWS network, reducing attack surface and improving overall security.

Why the Other Options Are Incorrect:

Option B: This is incorrect becauseAmazon Cognito User Poolsare used for user authentication, not for generating S3 access tokens. To provide S3 access, you need to useAmazon Cognito Identity Pools, which offer AWS credentials.

Option D: ANAT gatewayis unnecessary in this scenario. Using aVPC endpointfor S3 access provides a more secure and cost-effective solution by keeping traffic within AWS.

Option E: Attaching a policy to restrict access based on IP addresses is not scalable or efficient. It would require managing users’ dynamic IP addresses, which is not an effective security measure for this use case.

AWS References:

Amazon Cognito Identity Pools

Amazon VPC Endpoints for S3

Explanation (AWS Docs):

To allow private subnets to access the internet, deploy NAT gateways in a public subnet in each AZ for high availability. NAT instances are less scalable and less fault-tolerant.

“To create a highly available architecture, create a NAT gateway in each Availability Zone and configure your routing to use it.”

— NAT Gateway Overview

Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.

Option Arequires the management of IAM temporary credentials, adding complexity.

Option Cinvolves unnecessary development effort.

Option Dintroduces more complexity with STS and roles than pre-signed URLs.

S3 Object Lock in Compliance Mode prevents objects from being deleted or overwritten for a fixed, specified retention period. Compliance Mode is specifically designed to meet regulatory requirements, ensuring that no user, including the root user, can modify or delete the object during the retention period.

Reference Extract:

" S3 Object Lock in compliance mode protects objects from being deleted or overwritten during the specified retention period, helping meet regulatory retention requirements. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Object Lock and Compliance section.

The workload is Windows-based and requires a shared file system with SMB support and very high throughput for 4K video editing.

Amazon FSx for Windows File Server is a fully managed, highly available native Windows file system that supports the SMB protocol, Active Directory integration, and can deliver high throughput and low latency suitable for media workloads.

FSx for Windows File Server supports automatic storage scaling to grow file system capacity as data increases, matching the requirement of +1 TB per week with minimal admin effort.

A Multi-AZ SSD deployment provides high availability and performance.

Why others are not correct:

B: Amazon EFS is NFS, not SMB, and is optimized for Linux clients, not Windows-based environments.

C: FSx for Lustre is a high-performance POSIX file system typically used with Linux-based HPC workloads, not Windows + SMB.

D: S3 File Gateway is not designed for sustained multi-GB/s shared-edit performance and adds additional complexity; it is more suited for backup/archival and limited shared file access.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirement is an automated notification 30 days before an imported ACM certificate expires, delivered to the security team via an existing SNS topic with email subscription. The most operationally efficient approach is to use Amazon EventBridge with the managed event type for ACM certificate expiration. ACM publishes an event when a certificate is approaching expiration, and EventBridge can match that event and route it directly to a target service without custom polling logic.

Option D uses an EventBridge rule for the ACM Certificate Approaching Expiration event and sets the SNS topic as the target. This directly delivers an alert to the existing notification channel (email via SNS) and requires minimal code and minimal ongoing maintenance. It also avoids building and scheduling a scanner that must enumerate certificates, calculate dates, handle pagination, and manage failures.

Option C sends the event to SQS. While SQS is useful for decoupling and buffering, the requirement is to notify the security team, and SNS is already configured for email delivery. Using SQS would add an extra consumer component to read from the queue and publish notifications, which is additional operational overhead.

Options A and B require a custom Lambda-based scanning solution. That introduces scheduling (for example, EventBridge schedule), logic to detect “30 days remaining,” error handling, and ongoing maintenance. Since ACM already emits a purpose-built event for expiring certificates, polling is unnecessary and less efficient.

Therefore, D is the best solution: it uses a native event from ACM, routes it through EventBridge, and notifies the security team through the existing SNS topic with the least operational effort.

For encryption in transit, AWS Certificate Manager ACM is the correct service because it provisions and manages TLS certificates for HTTPS connections. For encryption at rest, AWS KMS is the right service because it manages encryption keys used by services such as Amazon EBS. AWS documentation and whitepapers consistently position ACM for certificate-based transport encryption and KMS for at-rest encryption key management across AWS services. GuardDuty and Shield are security detection and DDoS protection services, not encryption services. Secrets Manager stores and rotates secrets, but it is not the service used to encrypt all application data at rest or TLS sessions in transit.

============

The correct answer isBbecause the company wantshigh availability,minimum downtime,minimum data loss, and theleast operational effort. For the application tier, configuring the Auto Scaling group to spanmultiple Availability Zonesincreases resilience by ensuring that the loss of one Availability Zone does not make the application unavailable. Since the application is already behind an Application Load Balancer, traffic can continue to be routed to healthy instances in other Availability Zones.

For the database tier, the single-AZ Aurora PostgreSQL deployment represents a single point of failure. Configuring the database forMulti-AZimproves availability and durability by maintaining a synchronized standby in another Availability Zone and supporting failover with minimal disruption. This approach is aligned with AWS best practices for relational database high availability.

UsingAmazon RDS Proxyfurther improves availability at the application layer by managing database connections efficiently and helping applications reconnect more quickly during failover events. This reduces the operational complexity of handling transient database interruptions and can improve application resilience.

Option A introduces multi-Region complexity, which is not required to meet the stated need and creates more operational overhead. Option C does not provide high availability because snapshots are a backup and restore mechanism, not an automatic failover solution, and hourly snapshots can result in significant data loss. Option D is unnecessarily complex and changes the application data flow in a way that is not needed.

The simplest and most AWS-aligned solution is to make both the compute and database layers highly available acrossmultiple Availability Zones. That provides resilience with the least operational burden.

DynamoDB export to Amazon S3 (via point-in-time exports or table backups) “does not consume read capacity” and has no impact on table performance. Once data is in S3, Amazon Redshift can ingest efficiently with COPY from S3, which is the standard, parallel, high-throughput load path with minimal management. Direct COPY from DynamoDB (B) performs a table scan that can consume provisioned throughput, risking throttling. Building Lambda pipelines (C) adds custom code and scheduling overhead. Athena federated queries (D) are ad hoc analytics, not optimized for bulk, recurring warehouse loads. Therefore, exporting to S3 and loading with Redshift COPY maintains DynamoDB throughput and minimizes operational burden.

Amazon FSx for Lustre is the ideal solution for high-performance computing (HPC) workloads that require parallel access to a shared file system with low latency. FSx for Lustre is designed specifically to meet the needs of such workloads, offering sub-millisecond latencies, which makes it well-suited for the 1 ms latency requirement mentioned in the question.

Here is why FSx for Lustre is the best fit:

Parallel File System: FSx for Lustre is a parallel file system that can scale across hundreds of Amazon EC2 instances, providing high throughput and low-latency access to data. It is optimized for processing large datasets in parallel, which is essential for HPC workloads.

Low Latency: FSx for Lustre is capable of providing access latencies well within 1 ms, making it ideal for performance-sensitive workloads like HPC.

Seamless Integration with Amazon S3: FSx for Lustre can be linked to an Amazon S3 bucket. This integration allows data to be imported from S3 into FSx for Lustre before the workload begins and exported back to S3 after processing. This feature is crucial for manual postprocessing because it enables engineers to access the dataset in S3 after processing.

Performance: FSx for Lustre is built for workloads that require high performance, such as machine learning, analytics, media processing, and financial simulations, which are typical for HPC environments.

In contrast:

Amazon EFS (Option A): While EFS provides shared file storage and scales across multiple EC2 instances, it does not offer the same level of performance or sub-millisecond latencies as FSx for Lustre. EFS is more suited for general-purpose workloads, not high-performance computing.

Mounting S3 as a file system (Option B and D): S3 is object storage, not a file system designed for low-latency access and parallel processing. Mounting S3 buckets directly or using AWS Resource Access Manager to share the bucket would not meet the low-latency (1 ms) or performance requirements needed for HPC workloads.

Therefore, Amazon FSx for Lustre (Option C) is the most appropriate and verified solution for this scenario.

AWS References:

Amazon FSx for Lustre

Best Practices for High Performance Computing (HPC)

Amazon FSx and Amazon S3 Integration

Amazon ECS is the lowest-overhead choice because it avoids the control-plane and node-management work of EKS or raw EC2 while still supporting highly available multi-AZ placement. AWS ECS guidance notes that the service scheduler canspread tasks across Availability Zones, and target tracking scaling is a standard way to scale ECS services based on demand. Setting a minimum capacity of 3 ensures at least one task can remain in each Availability Zone, improving resilience. The EC2 and EKS options require more infrastructure management, and Lambda is not the right fit for generic containerized application workloads. Therefore, ECS with spread placement across AZs and service auto scaling is the best answer.

Big data workloads that need to process terabytes of data in memory requirememory-optimized instancesfor the core and task nodes to ensure sufficient memory for processing data efficiently.

Primary Node:Ageneral purpose instanceis suitable because it manages cluster operations, including coordination and monitoring, and does not process data directly.

Core and Task Nodes:These nodes handle data storage and processing.Memory-optimized instancesare ideal because they provide high memory-to-CPU ratios, which is critical for in-memory big data workloads.

Why Other Options Are Incorrect:

Option A:Storage optimized and compute optimized instances are not suitable for workloads that rely heavily on in-memory processing.

Option B:A memory-optimized primary node is unnecessary because the primary node does not process data.

Option D:General purpose instances for all nodes will not provide sufficient memory for processing terabytes of data in memory.

AWS Documentation References:

Amazon EMR Instance Types

Memory-Optimized Instances

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirements are straightforward: expose the Lambda microservice through an HTTPS endpoint and authenticate calls using IAM. Lambda function URLs are a built-in feature that provides a dedicated HTTPS endpoint for a Lambda function without requiring API Gateway, ALB, or CloudFront. When configured with the authentication type AWS_IAM, the endpoint requires requests to be signed with AWS Signature Version 4 and authorized by IAM policies. This directly satisfies the “must use IAM to authenticate calls” requirement with the least architectural complexity.

Option A can also secure an endpoint with IAM, but it proposes using a Lambda authorizer, which is typically used for custom authorizers (JWT/OAuth/Cognito/external identity). For IAM authentication in API Gateway, you generally use IAM authorization on the method, not an authorizer function. Also, API Gateway REST APIs introduce additional service configuration and per-request costs when a simpler managed option exists that meets the requirements.

Options C and D are not appropriate. Lambda@Edge and CloudFront Functions run at CloudFront edge locations with different programming and deployment models; they are designed for CDN request/response manipulation, not as the primary mechanism to expose a regional Lambda microservice endpoint with IAM authentication. CloudFront Functions in particular is for lightweight JavaScript at the edge and does not provide a native “AWS_IAM authentication type” for invoking an origin Lambda as a microservice endpoint.

Therefore, B is the cleanest and most secure fit: a native HTTPS endpoint backed by Lambda, protected with IAM-based SigV4 authentication.

Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

AWS WAF (Web Application Firewall) is designed to protect public-facing web applications from common web exploits and allows for deep inspection of HTTP and HTTPS requests. By enabling logging on AWS WAF, you can gain insights into traffic flow, request sources, and blocked requests, which improves both security visibility and posture. Integrating AWS WAF logging with Amazon Kinesis Data Firehose allows automatic, near-real-time delivery of log data to Amazon S3 for analysis, reporting, or integration with analytics tools. This solution not only secures the website but also enables comprehensive traffic analysis, satisfying both requirements efficiently.

Reference Extract from AWS Documentation / Study Guide:

" AWS WAF provides detailed logs of web requests, which can be delivered to Amazon S3 via Amazon Kinesis Data Firehose. This logging enables analysis of web traffic and sources, supporting both security and operational monitoring. "

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Compliance section; AWS WAF Developer Guide (Logging and Monitoring).

AWS Fargate provides per-pod isolation for CPU, memory, storage, and networking, making it ideal for multi-tenant use cases.

AWS Documentation References:

EKS with Fargate

AWS Transfer Family: This service provides fully managed support for file transfers directly into and out of Amazon S3 using the SFTP, FTPS, and FTP protocols.

SFTP Endpoints:

Set up an AWS Transfer Family server and configure SFTP endpoints to handle the file transfers.

This service is scalable and managed, reducing operational overhead compared to running an SFTP solution on EC2 instances.

Integration with Active Directory:

Choose the AWS Directory Service option as the identity provider for the Transfer Family server.

Use AD Connector to link the on-premises Active Directory with AWS, allowing employees to use their existing AD credentials to access the SFTP service.

Operational Efficiency: This solution leverages managed services for both file transfer and identity management, ensuring minimal changes to the current authentication mechanisms and reducing operational overhead.

S3 One Zone-IA:

Suitable for infrequently accessed data that doesn ' t require multiple Availability Zone resilience.

Cost-effective for storing user-uploaded images that are only used for AI model training twice a year.

S3 Standard:

Ideal for frequently accessed data with high durability and availability.

Store premium user-generated AI images here to ensure they are readily available for download at any time.

S3 Standard-IA:

Cost-effective storage for data that is accessed less frequently but still requires rapid retrieval.

Store non-premium user-generated AI images here, as these images are only downloaded once every 6 hours, making it a good balance between cost and accessibility.

Cost-Effectiveness: This solution optimizes storage costs by categorizing data based on access patterns and durability requirements, ensuring that each type of data is stored in the most cost-effective manner.

To prevent loss of access to the AWS root user account due to a lost MFA device, AWS recommends enabling multiple MFA devices for the root user.

Multiple MFA Devices: AWS allows up to eight MFA devices (virtual, hardware, or security keys) to be associated with a single root user account. This redundancy ensures that if one device is lost, others can be used to authenticate and access the account.

Security Best Practices: Implementing multiple MFA devices enhances account security and provides resilience against potential access issues.

By proactively setting up multiple MFA devices, the company can maintain uninterrupted access to its critical AWS resources, even in the event of a lost or malfunctioning MFA device.

The correct answer isDbecause the application runs onAWS Fargate On-Demand capacity, cannot tolerate interruptions, and the company wants tooptimize costswhile keeping the application operational. ACompute Savings Planis designed to reduce costs for consistent compute usage across AWS services, includingAWS Fargate, without requiring changes to the application architecture or using interruptible capacity.

A Savings Plan provides discounted pricing in exchange for a usage commitment over a period of time. This is ideal for workloads that must continue running without interruption because the application can remain onFargate On-Demand, which avoids the termination risk associated with Spot capacity. The company gets cost savings while preserving the reliability characteristics of the current deployment model.

Option A is incorrect becauseOn-Demand Capacity Reservationsare used to reserve EC2 capacity in a specific Availability Zone and do not apply as the main cost optimization mechanism for Fargate tasks. Option B is incorrect becauseConvertible Reserved Instancesapply to Amazon EC2, not Fargate. Option C is incorrect becauseFargate Spotcan be interrupted and therefore does not meet the requirement that the application cannot tolerate sudden interruptions.

AWS cost optimization guidance recommends selecting discount models that align with workload needs. For predictable, steady serverless container usage on Fargate that must remain highly available,Compute Savings Plansoffer the best balance of lower cost and uninterrupted operation. Therefore, purchasing aCompute Savings Planis the most appropriate solution.

The correct answer isDbecause the application is written entirely inJavaScript and runs in users’ web browsers, which means the workload is essentially astatic web application. Static assets such as HTML, JavaScript, CSS, and related files are best hosted onAmazon S3, which provides highly durable and low-cost object storage. PuttingAmazon CloudFrontin front of the S3 bucket allows the application to be delivered globally through edge locations, which reduces latency for users in many countries while also lowering the load on the origin.

This design is more cost-effective than continuing to serve the application from EC2 instances behind an ALB because it eliminates most of the compute and load balancing cost for static content delivery. CloudFront caches the content close to users and can improve performance worldwide without the complexity of deploying full application stacks in multiple Regions.

Option A is less cost-effective because it still depends on the ALB and EC2 instances as the origin for content that is static. Also, CloudFront requires an ACM certificate inus-east-1for custom domain names, so reusing the existing certificate from the ALB is not the right assumption. Option B introduces significant multi-Region infrastructure cost and management overhead. Option C is unnecessarily complex because multiple S3 buckets in multiple Regions are not required when CloudFront can cache globally from a single origin.

AWS best practices for static web applications recommendAmazon S3 for storageandAmazon CloudFront for global distribution. This approach provides strong performance, simplicity, and cost optimization.