A company’s website hosted on Amazon EC2 instances processes classified data stored in Amazon S3. Due to security concerns, the company requires a private and secure connection between its EC2 resources and Amazon S3.
Which solution meets these requirements?
- A . Set up S3 bucket policies to allow access from a VPC endpoint
- B . Set up an IAM policy to grant read-write access to the S3 bucket,
- C . Set up a NAT gateway to access resources outside the private subnet
- D . Set up an access key ID and a secret access key to access the S3 bucket
A company runs an application on a group of Amazon Linux EC2 instances. For compliance reasons, the company must retain all application log files for 7 years. The log files will be analyzed by a reporting tool that must be able to access all the files concurrently.
Which storage solution meets these requirements MOST cost-effectively?
- A . Amazon Elastic Block Store (Amazon EBS)
- B . Amazon Elastic File System (Amazon EFS)
- C . Amazon EC2 instance store
- D . Amazon S3
A company processes large amounts of data. The output data is stored in Amazon S3 Standard storage in an S3 bucket, where it is analyzed for 1 month. The data must remain immediately accessible after the 1-month analysis period.
Which storage solution meets these requirements MOST cost-effectively?
- A . Configure an S3 Lifecycle policy to transition the objects to S3 Glacier after 30 days.
- B . Configure S3 Intelligent-Tiering to transition the objects to S3 Glacier after 30 days.
- C . Configure an S3 Lifecycle policy to transition the objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
- D . Configure an S3 Lifecycle policy to delete the objects after 30 days. Enable versioning on the S3 bucket so that deleted objects can still be immediately restored as needed.
A company hosts historical weather records in Amazon S3. The records are downloaded from the company’s website by way of a URL that resolves to a domain name Users all over the world access this content through subscriptions A third-party provider hosts the company’s root domain name, but the company recently migrated some of its services to Amazon Route 53. The company wants to consolidate contracts, reduce latency for users, and reduce costs related to serving the application to subscribers
Which solution meets these requirements?
- A . Create a web distribution on Amazon CloudFront to serve the S3 content for the application Create a CNAME record in a Route 53 hosted zone that points to the CloudFront distribution, resolving to the application’s URL domain name.
- B . Create a web distribution on Amazon CloudFront to serve the S3 content for the application. Create an ALIAS record in the Amazon Route 53 hosted zone that points to the CloudFront distribution, resolving to the application’s URL domain name.
- C . Create an A record in a Route 53 hosted zone for the application. Create a Route 53 traffic policy for the web application, and configure a geolocation rule Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy.
- D . Create an A record in a Route 53 hosted zone for the application Create a Route 53 traffic policy for the web application, and configure a geoproximity rule. Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy
A company is creating an architecture for a mobile app that requires minimal latency for its users. The company’s architecture consists of Amazon EC2 instances behind an Application Load Balancer running in an Auto Seating group. The EC2 instances connect to Amazon RDS Application beta testing showed there was a slowdown when reading the data However, the metrics indicate that the EC2 instances do not cross any CPU utilization thresholds
How can this issue be addressed?
- A . Reduce the threshold for CPU utilization in the Auto Scaling group
- B . Replace the Application Load Balancer with a Network Load Balancer.
- C . Add read replicas for the RDS instances and direct read traffic to the replica
- D . Add Multi-AZ support to the RDS instances and direct read traffic to the new EC2 instance
A solutions architect is designing the cloud architecture for a new application that is being deployed on AWS. The application’s users will interactively download and upload files. Files that are more than 90 days old will be accessed less frequently than newer files, but all files need to be instantly available. The solutions architect must ensure that the application can scale to store petabytes of data with maximum durability.
Which solution meets these requirements?
- A . Store the files in Amazon S3 Standard. Create an S3 Lifecycle policy that moves objects that are more than 90 days old to S3 Glacier.
- B . Store the tiles in Amazon S3 Standard. Create an S3 Lifecycle policy that moves objects that are more than 90 days old to S3 Standard-Infrequent Access (S3 Standard-IA).
- C . Store the files in Amazon Elastic Block Store (Amazon EBS) volumes. Schedule snapshots of the volumes. Use the snapshots to archive data that is more than 90 days old.
- D . Store the files in RAID-striped Amazon Elastic Block Store (Amazon EBS) volumes. Schedule snapshots of the volumes. Use the snapshots to archive data that is more than 90 days old.
An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?
- A . Use a simple scaling policy to dynam
- B . Amazon DynamoDB global tables
- C . Amazon RDS for MySQL with Multi-AZ enabled
- D . Amazon RDS for MySQL with a cross-Region snapshot copy
A solutions architect needs to design a network that will allow multiple Amazon EC2 instances to access a common data source used for mission-critical data that can be accessed by all the EC2 instances simultaneously. The solution must be highly scalable, easy to implement, and support the NFS protocol
Which solution meets these requirements?
- A . Create an Amazon EFS file system Configure a mount target in each Availability Zone. Attach each instance to the appropriate mount target
- B . Create an additional EC2 instance and configure it as a file server Create a security group that allows communication between the instances and apply that to the additional instance.
- C . Create an Amazon S3 bucket with the appropriate permissions Create a role in AWS IAM that grants the correct permissions to the S3 bucket. Attach the role to the EC2 instances that need access to the data
- D . Create an Amazon EBS volume with the appropriate permissions. Create a role in AWS IAM that grants the correct permissions to the EBS volume. Attach the role to the EC2 instances that need access to the data.
A company has an application that calls AWS Lambda functions. A recent code review found database credentials stored in the source code. The database credentials needs to be removed from the Lambda source code. The credentials must then be securely stored and rotated on a on-going basis to meet security policy requirements.
What should a solutions architect recommend meet these requirements?
- A . Store the password in AWS CloudHSM. Associate the Lambda function with a role that can review the password from CloudHSM given key ID.
- B . Store the password in AWS Secrets Manager . A associate the Lambda function with a role that can retrieve the password from secrets Manager given its secret ID.
- C . Move the database password to an environment variable associate the Lambda function Retrieve the password from the environment variable upon execution.
- D . Store the password in AWS Key Management Service (AWS KMS). Associate the Lambda function with a role that can retrieve the password from AWS KMS given its key ID.
A company is migrating a large, mission-critical database to AWS. A solutions architect has decided to use an Amazon RDS for MySQL Multi-AZ DB instance that Is deployed with 80,000 Provisioned IOPS for storage. The solutions architect is using AWS Database Migration Service (AWS DMS) to perform the data migration. The migration is taking longer than expected, and the company wants to speed up the process. The company’s network team has ruled out bandwidth as a limiting factor.
Which actions should the solutions architect take to speed up the migration? (Select TWO.)
- A . Disable Multi-AZ on the target DB instance.
- B . Create a new DMS instance that has a larger instance size.
- C . Turn off logging on the target DB instance until the initial load is complete.
- D . Restart the DMS task on a new DMS instance with transfer acceleration enabled.
- E . Change the storage type on the target DB instance to Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp2).
A solutions architect is designing the architecture for a company website that is composed of static content. The company’s target customers are located in the United States and Europe.
Which architecture should the solutions architect recommend to MINIMIZE cost?
- A . Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to limit the edge locations in use.
- B . Store the website files on Amazon S3 in the us-east-2 Region. Use an Amazon CloudFront distribution with the price class configured to maximize the use of edge locations.
- C . Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront geolocation routing policy to route requests to the closest Region to the user.
- D . Store the website files on Amazon S3 in the us-east-2 Region and the eu-west-1 Region. Use an Amazon CloudFront distribution with an Amazon Route 53 latency routing policy to route requests to the closest Region to the user.
An Amazon EC2 administrator created the following policy associated with an IAM group containing several users
What is the effect of this policy?
- A . Users can terminate an EC2 instance in any AWS Region except us-east-1.
- B . Users can terminate an EC2 instance with the IP address 10 100 100 1 in the us-east-1 Region
- C . Users can terminate an EC2 instance in the us-east-1 Region when the user’s source IP is 10.100.100.254.
- D . Users cannot terminate an EC2 instance in the us-east-1 Region when the user’s source IP is 10.100 100 254
A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region
What should a solutions architect do to automate the failover process?
- A . Enable an ALB health check
- B . Enable an Amazon Route 53 health check
- C . Create a CNAME record on Amazon Route 53 pointing to the ALB endpoint.
- D . Create conditional forwarding rules on Amazon Route 53 pointing to an internal BIND DNS server
A company’s legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements all existing and new data in this database must be encrypted.
How should this be accomplished?
- A . Create an Amazon S3 bucket with server-side encryption enabled Move all the data to Amazon S3 Delete the RDS instance
- B . Enable RDS Multi-AZ mode with encryption at rest enabled. Perform a failover to the standby instance to delete the original instance
- C . Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
- D . Create an RDS read replica with encryption at rest enabled Promote the read replica to master and switch the application over to the new master Delete the old RDS instance
A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company’s security policy requires that all website traffic be inspected by AWS WAF.
How should the solutions architect comply with these requirements?
- A . Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only.
- B . Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin.
- C . Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only. Associate AWS WAF to CloudFront.
- D . Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket Enable AWS WAF on the distribution
A company is running a web application on Amazon EC2 instances in an Auto Scaling group. The application uses a database that runs on an Amazon RDS for PostgreSQL DB instance. The application performs slowly as traffic increases, and the database experiences a heavy read load during periods of high traffic.
Which actions should a solutions architect take to resolve these performance issues? (Select TWO.)
- A . Enable auto scaling for the DB instance.
- B . Create a read replica for the DB instance. Configure the application to send read traffic to the read replica.
- C . Enable Multi-AZ for the DB instance. Configure the application to send read traffic to the standby DB instance.
- D . Create an Amazon ElastiCache cluster. Configure the application to cache query results in the ElastiCache cluster.
- E . Configure the Auto Scaling group subnets to ensure that the EC2 instances are provisioned in the same Availability Zone as the DB instance.
A solutions architect must design a database solution for a high-traffic ecommerce web application. The database stores customer profiles and shopping cart information. The database must support a peak load of several million requests each second and deliver responses in milliseconds. The operational overhead for managing and scaling the database must be minimized
Which database solution should the solutions architect recommend?
- A . Amazon Aurora
- B . Amazon DynamoDB
- C . Amazon RDS
- D . Amazon Redshift
A solutions architect is redesigning a monolithic application to be a loosely coupled application composed of two microservices: Microservice A and Microservice B Microservice A places messages in a mam Amazon Simple Queue Service (Amazon SOS) queue for Microservice B to consume When Microservice B fails to process a message after four retries, the message needs to be removed from the queue and stored for further investigation.
What should the solutions architect do to meet these requirements?
- A . Create an SQS dead-letter queue Microservice B adds failed messages to that queue after it receives and fails to process the message four times.
- B . Create an SQS dead-letter queue Configure the main SQS queue to deliver messages to the dead-letter queue after the message has been received four times.
- C . Create an SQS queue for failed messages Microservice A adds failed messages to that queue after Microservice B receives and fails to process the message four times.
- D . Create an SQS queue for failed messages. Configure the SQS queue for failed messages to pull messages from the main SQS queue after the original message has been received four times.
B
Explanation:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html#sqs-dead-letter-queues-how-they-work
A company currently has 250 TB of backup files stored in Amazon S3 in a vendor’s proprietary format. Using a Linux-based software application provided by the vendor, the company wants to retrieve files from Amazon S3, transform the files to an industry-standard format, and re-upload them to Amazon S3. The company wants to minimize the data transfer charges associated with this conversion
What should a solutions architect do to accomplish this?
- A . Install the conversion software as an Amazon S3 batch operation so the data is transformed without leaving Amazon S3
- B . Install the conversion software onto an on-premises virtual machine. Perform the transformation and re-upload the files to Amazon S3 from the virtual machine.
- C . Use AWS Snowball Edge devices to export the data and install the conversion software onto the devices. Perform the data transformation and re-upload the files to Amazon S3 from the Snowball Edge devices
- D . Launch an Amazon EC2 instance in the same Region as Amazon S3 and install the conversion software onto the instance. Perform the transformation and re-upload the files to Amazon S3 from the EC2 instance.
A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information.
The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running. All configurations for the network ACLs. security groups, and route tables are still in their default states.
What should a solutions architect recommend to fix the application?
- A . Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.
- B . Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and Ihe database tier.
- C . Deploy the web tier’s EC2 instances and the database tier’s RDS instance into two separate VPCs. and configure VPC peering.
- D . Add an inbound rule to the security group of the database tier’s RDS instance to allow traffic from the web tier’s security group.
A company is designing a new web service that will run on Amazon EC2 instances behind an Elastic Load Balancer. However many of the web service clients can only reach IP addresses whitelisted on their firewalls.
What should a solutions architect recommend to meet the clients’ needs?
- A . A Network Load Balancer with an associated Elastic IP address
- B . An Application Load Balancer with an associated Elastic IP address.
- C . An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address
- D . An EC2 instance with a public IP address running as a proxy in front of the load balancer.
A company needs to implement a relational database with a multi-Region disaster recovery Recovery Point Objective (RPO) of 1 second and an Recovery Time Objective (RTO) of 1 minute
Which AWS solution can achieve this?
- A . Amazon Aurora Global Database
- B . Amazon DynamoDB global tables
- C . Amazon RDS for MySQL with Multi-AZ enabled
- D . Amazon RDS for MySQL with a cross-Region snapshot copy
The following IAM policy is attached to an IAM group.
This is the only policy applied to the group.
What are the effective IAM permissions of this policy for group members?
- A . Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.
- B . Group members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).
- C . Group members are allowed the ec2 Stoplnstances and ec2. TerminateInstances permissions for all Regions when logged in with multi-factor authentication (MFA) Group members are permitted any other Amazon EC2 action.
- D . Group members are allowed the ec2 Stoplnstances and ec2. Terminateinstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA) Group members are permitted any other Amazon EC2 action within the us-east-1 Region.
D
Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html
By default, AWS Identity and Access Management (IAM) users don’t have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they’ll need to use, and then attach those policies to the IAM users or groups that require those permissions.
A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database Compliance regulations mandate that all personally identifiable information (Pll) be encrypted at rest.
Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?
- A . Deploy AWS Certificate Manager to generate certificates Use the certificates to encrypt the database volume
- B . Deploy AWS CloudHSM, generate encryption keys, and use the customer master key (CMK) to encrypt database volumes
- C . Configure SSL encryption using AWS Key Management Service customer master keys (AWS KMS CMKs) to encrypt database volumes.
- D . Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes
An ecommerce company hosts its analytics application in the AWS Cloud. The application generates about 300 MB of data each month. The data is stored in JSON format. The company is evaluating a disaster recovery solution to back up the data. The data must be accessible in milliseconds if it is needed, and the data must be kept for 30 days.
Which solution meets these requirements MOST cost-effectively?
- A . Amazon Elasticsearch Service (Amazon ES)
- B . Amazon S3 Glacier
- C . Amazon S3 Standard
- D . Amazon RDS for PostgreSQL
The application’s traffic is often low. but it occasionally grows significantly. During these sudden increases in traffic, DynamoDB returns throttling errors. The result is that error pages are displayed to end users.
What should a solutions architect do to reduce these errors?
- A . Change the DynamoDB table to use on-demand capacity mode.
- B . Create a DynamoDB read replica to scale the read traffic horizontally.
- C . Purchase DynamoDB reserved capacity of 1,000 RCUs and 500 WCUs.
- D . Configure the application to use strongly consistent reads for DynamoDB queries.
A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Select TWO.)
- A . Use AWS Shield Advanced to stop the DDoS attack.
- B . Configure Amazon GuardDuty to automatically block the attackers.
- C . Configure the website to use Amazon CloudFront for both static and dynamic content.
- D . Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
- E . Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization
A company runs an application on Amazon EC2 instances. The application is deployed in private subnets in three Availability Zones of the us-east-1 Region. The instances must be able to connect to the internet to download files. The company wants a design that is highly available across the Region.
Which solution should be implemented to ensure that there are no disruptions to internet connectivity?
- A . Deploy a NAT instance in a private subnet of each Availability Zone.
- B . Deploy a NAT gateway in a public subnet of each Availability Zone
- C . Deploy a transit gateway in a private subnet of each Availability Zone.
- D . Deploy an internet gateway in a public subnet of each Availability Zone
A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform A solutions architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API.
Which action meets these requirements for storing and retrieving location data?
- A . Use Amazon Athena with Amazon S3
- B . Use Amazon API Gateway with AWS Lambda
- C . Use Amazon QuickSight with Amazon Redshift.
- D . Use Amazon API Gateway with Amazon Kinesis Data Analytics
A development team needs to host a website that will be accessed by other teams. The website contents consist of HTML. CSS, client-side JavaScript, and images.
Which method is the MOST cost-effective for hosting the website?
- A . Containerize the website and host it in AWS Fargate.
- B . Create an Amazon S3 bucket and host the website there
- C . Deploy a web server on an Amazon EC2 instance to host the website.
- D . Configure an Application Loa d Balancer with an AWS Lambda target that uses the Express js framework.
A company’s near-real-time streaming application is running on AWS. As the data is ingested, a job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data A solutions architect needs to design a scalable and serverless solution to enhance performance.
Which combination of steps should the solutions architect take? (Select TWO.)
- A . Use Amazon Kinesis Data Firehose to ingest the data
- B . Use AWS Lambda with AWS Step Functions to process the data.
- C . Use AWS Database Migration Service (AWS DMS) to ingest the data.
- D . Use Amazon EC2 instances in an Auto Scaling group to process the data
- E . Use AWS Fargate with Amazon Elastic Container Service (Amazon ECS) to process the data.
An administrator of a large company wants to monitor for and prevent any cryptocurrency-related attacks on the company’s AWS accounts.
Which AWS service can the administrator use to protect the company against attacks?
- A . Amazon Cognito
- B . Amazon GuardDuty
- C . Amazon Inspector
- D . Amazon Macie
A company has a custom application running on an Amazon EC2 instance that
• Reads a large amount of data from Amazon S3
• Performs a multi-stage analysis.
Writes the results to Amazon DynamoDB
The application writes a significant number of large, temporary files during the multi-stage analysis. The process performance depends on the temporary storage performance .
What would be the fastest storage option for holding the temporary files?
- A . Multiple Amazon S3 buckets with Transfer Acceleration for storage
- B . Multiple Amazon EBS drives with Provisioned IOPS and EBS optimization
- C . Multiple Amazon EFS volumes using the Network File System version 4 1 (NFSv4 1) protocol
- D . Multiple instance store volumes with software RAID 0.
A solutions architect needs to design a managed storage solution for a company’s application that includes high-performance machine learning This application runs on AWS Fargate, and the connected storage needs to have concurrent access to files and deliver high performance
Which storage option should the solutions architect recommend?
- A . Create an Amazon S3 bucket for the application and establish an IAM role for Fargate to communicate with Amazon S3
- B . Create an Amazon FSx for Lustre file share and establish an IAM role that allows Fargate to communicate with FSx for Lustre
- C . Create an Amazon Elastic File System (Amazon EFS) file share and establish an IAM role that allows Fargate to communicate with Amazon EFS.
- D . Create an Amazon Elastic Block Store (Amazon EBS) volume for the application and establish an IAM role that allows Fargate to communicate with Amazon EBS
A company is launching a new application that will be hosted on Amazon EC2 instances. A solutions architect needs to design a solution that does not allow public IPv4 access that originates from the internet. However, the solution must allow the EC2 instances to make outbound IPv4 internet requests.
The initial design proposal shows that the EC2 instances would be located in two private subnets across two Availability Zones. The entire architecture must be highly available.
How should the solutions architect change the architecture to meet these requirements?
- A . Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure one route table for each private subnet.
- B . Deploy an internet gateway in public subnets in both Availability Zones. Create and configure a shared route table for the private subnets.
- C . Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure a shared route table for the private subnets.
- D . Deploy an egress-only internet gateway in public subnets in both Availability Zones.
Create and configure one route table for each private subnet.
A company’s facility has badge readers at every entrance throughout the building. When badges are scanned, the readers send a message over HTTPS to indicate who attempted to access that particular entrance.
A solutions architect must design a system to process these messages from the sensors. The solution must be highly available, and the results must be made available for the company’s security team to analyze.
Which system architecture should the solutions architect recommend?
- A . Launch an Amazon EC2 instance to serve as the HTTPS endpoint and to process the messages Configure the EC2 instance to save the results to an Amazon S3 bucket.
- B . Create an HTTPS endpoint in Amazon API Gateway. Configure the API Gateway endpoint to invoke an AWS Lambda function to process the messages and save the results to an Amazon DynamoDB table.
- C . Use Amazon Route 53 to direct incoming sensor messages to an AWS Lambda function. Configure the Lambda function to process the messages and save the results to an Amazon DynamoDB table.
- D . Create a gateway VPC endpoint for Amazon S3. Configure a Site-to-Site VPN connection from the facility network to the VPC so that sensor data can be written directly to an S3 bucket by way of the VPC endpoint.
A company’s security team requests that network traffic be captured in VPC Flow Logs. The logs will be frequently accessed for 90 days and then accessed intermittently.
What should a solutions architect do to meet these requirements when configuring the logs?
- A . Use Amazon CloudWatch as the target. Set the CloudWatch log group with an expiration of 90 days.
- B . Use Amazon Kinesis as the target Configure the Kinesis stream to always retain the logs for 90 days
- C . Use AWS CloudTrail as the target. Configure CloudTrail to save to an Amazon S3 bucket, and enable S3 Intelligent-Tiering
- D . Use Amazon S3 as the target Enable an S3 Lifecycle policy to transition the logs to S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days
A company hosts historical weather records in Amazon S3. The records are downloaded from the company’s website by way of a URL that resolves to a domain name Users all over the world access this content through subscriptions. A third-party provider hosts the company’s root domain name, but the company recently migrated some of its services to Amazon Route 53. The company wants to consolidate contracts, reduce latency for users, and reduce costs related to serving the application to subscribers.
Which solution meets these requirements?
- A . Create a web distribution on Amazon CloudFront to serve the S3 content for the application Create a CNAME record in a Route 53 hosted zone that points to the CloudFront distribution, resolving to the application’s URL domain name.
- B . Create a web distribution on Amazon CloudFront to serve the S3 content for the application Create an ALIAS record in the Amazon Route 53 hosted zone that points to the
CloudFront distribution, resolving to the application’s URL domain name. - C . Create an A record in a Route 53 hosted zone for the application. Create a Route 53 traffic policy for the web application, and configure a geolocation rule. Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy.
- D . Create an A record in a Route 53 hosted zone for the application. Create a Route 53 traffic policy for the web application, and configure a geoproximity rule. Configure health checks to check the health of the endpoint and route DNS queries to other endpoints if an endpoint is unhealthy
A company is designing a new web service that will run on Amazon EC2 instances behind an Elastic Load Balancer. However, many of the web service clients can only reach IP addresses whitelisted on their firewalls.
What should a solutions architect recommend to meet the clients’ needs?
- A . A Network Load Balancer with an associated Elastic IP address
- B . An Application Load Balancer with an associated Elastic IP address
- C . An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address
- D . An EC2 instance with a public IP address running as a proxy in front of the load balancer
A company is using AWS Key Management Service (AWS KMS) customer master keys (CMKs) to encrypt AWS Lambda environment variables A solutions architect needs to ensure that the required permissions are in place to decrypt and use the environment variables.
Which steps must the solutions architect take to implement the correct permissions? (Select TWO.)
- A . Add AWS KMS permissions in the Lambda resource policy
- B . Add AWS KMS permissions in the Lambda execution role
- C . Add AWS KMS permissions in the Lambda function policy.
- D . Allow the Lambda execution role in the AWS KMS key policy
- E . Allow the Lambda resource policy in the AWS KMS key policy.
A company’s website provides users with downloadable historical performance reports. The website needs a solution that will scale to meet the company’s website demands globally. The solution should be cost-effective, limit the provisioning of infrastructure resources, and provide the fastest possible response time.
Which combination should a solutions architect recommend to meet these requirements?
- A . Amazon CloudFront and Amazon S3
- B . AWS Lambda and Amazon DynamoDB
- C . Application Load Balancer with Amazon EC2 Auto Scaling
- D . Amazon Route 53 with internal Application Load Balancers
A company needs to provide its employees with secure access to confidential and sensitive files. The company wants to ensure that the tiles can be accessed only by authorized users. The files must be downloaded securely to the employees’ devices.
The files are stored in an on-premises Windows file server. However, due to an increase in remote usage, the file server is running out of capacity.
Which solution will meet these requirements?
- A . Migrate the file server to an Amazon EC2 instance in a public subnet. Configure the security group to limit inbound traffic to the employees’ IP addresses.
- B . Migrate the files to an Amazon FSx for Windows File Server file system. Integrate the Amazon FSx file system with the on-premises Active Directory. Configure AWS Client VPN.
- C . Migrate the tiles to Amazon S3, and create a private VPC endpoint. Create a signed URL to allow download.
- D . Migrate the tiles to Amazon S3, and create a public VPC endpoint. Allow employees to sign on with AWS Single Sign-On.
A social media company allows users to upload images to its website. The website runs on Amazon EC2 instances. During upload requests, the website resizes the images to a standard size and stores the resized images in Amazon S3. Users are experiencing slow upload requests to the website.
The company needs to reduce coupling within the application and improve website performance A solutions architect must design the most operationally efficient process for image uploads
Which combination of actions should the solutions architect take to meet these requirements’? (Select TWO.)
- A . Configure the application to upload images to S3 Glacier.
- B . Configure the web server to upload the original images to Amazon S3.
- C . Configure the application to upload images directly from each user’s browser to Amazon S3 through the use of a presigned URL.
- D . Configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded. Use the function to resize the image
- E . Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function on a schedule to resize uploaded images.
A company wants to run a hybrid workload for data processing. The data needs to be accessed by on-premises applications for local data processing using an NFS protocol and must also be accessible from the AWS Cloud for further analytics and batch processing
Which solution will meet these requirements?
- A . Use an AWS Storage Gateway file gateway to provide file storage to AWS: then perform analytics on this data in the AWS Cloud
- B . Use an AWS Storage Gateway tape gateway to copy the backup of the local data to AWS. then perform analytics on this data in the AWS Cloud.
- C . Use an AWS Storage Gateway volume gateway in a stored volume configuration to regularly take snapshots of the local data, then copy the data to AWS.
- D . Use an AWS Storage Gateway volume gateway in a cached volume configuration to back up all the local storage in the AWS Cloud, then perform analytics on this data in the cloud.
A solutions architect must transfer 750 TB of data from an on-premises network-attached file system to Amazon S3 Glacier. The migration must not saturate the on-premises 10 Mbps internet connection.
Which solution will meet these requirements?
- A . Create an AWS Site-to-Site VPN tunnel to an S3 bucket Transfer the files directly by using the AWS CLI.
- B . Order 10 AWS Snowball Edge Storage Optimized devices, and select an S3 Glacier vault as the destination.
- C . Mount the network-attached file system to an S3 bucket, and copy the files directly.
Create an S3 Lifecycle policy to transition the S3 objects to S3 Glacier. - D . Order 10 AWS Snowball Edge Storage Optimized devices, and select an S3 bucket as the destination. Create an S3 Lifecycle policy to transition the S3 objects to S3 Glacier.
A company has two VPCs that are located in the us-west-2 Region within the same AWS account. The company needs to allow network traffic between these VPCs. Approximately 500 GB of data transfer will occur between the VPCs each month.
What is the MOST cost-effective solution to connect these VPCs’?’
- A . Implement AWS Transit Gateway to connect the VPCs Update the route tables of each VPC to use the transit gateway for inter-VPC communication
- B . Implement an AWS Site-to-Stte VPN tunnel between the VPCs. Update the route tables of each VPC to use the VPN tunnel for inter-VPC communication
- C . Set up a VPC peering connection between the VPCs. Update the route tables of each VPC to use the VPC peering connection for inter-VPC communication.
- D . Set up a 1 GB AWS Direct Connect connection between the VPCs. Update the route tables of each VPC to use the Direct Connect connection for inter-VPC communication.
A company is developing a serverless web application that gives users the ability to interact with real-time analytics from online games. The data from the games must be streamed in real time. The company needs a durable, low-latency database option for user data. The company does not know how many users will use the application Any design considerations must provide response times of single-digit milliseconds as the application scales.
Which combination of AWS services will meet these requirements? (Select TWO.)
- A . Amazon CloudFront
- B . Amazon DynamoDB
- C . Amazon Kinesis
- D . Amazon RDS
- E . AWS Global Accelerator
A solutions architect needs to design a resilient solution for Windows users’ home directories. The solution must provide fault tolerance, file-level backup and recovery, and access control, based upon the company’s Active Directory.
Which storage solution meets these requirements?
- A . Configure Amazon S3 to store the users’ home directories. Join Amazon S3 to Active Directory
- B . Configure a Multi-AZ file system with Amazon FSx for Windows File Server Join Amazon FSx to Active Directory
- C . Configure Amazon Elastic File System (Amazon EFS) for the users home directories.
Configure AWS Single Sign-On with Active Directory. - D . Configure Amazon Elastic Block Store (Amazon EBS) to store the users home directories Configure AWS Single Sign-On with Active Directory
A solutions architect must create a highly available bastion host architecture. The solution needs to be resilient within a single AWS Region and should require only minimal effort to maintain.
What should the solutions architect do to meet these requirements?
- A . Create a Network Load Balancer backed by an Auto Scaling group with a UDP listener.
- B . Create a Network Load Balancer backed by a Spot Fleet with instances in a partition placement group.
- C . Create a Network Load Balancer backed by the existing servers in different Availability Zones as the target.
- D . Create a Network Load Balancer backed by an Auto Scaling group with instances in multiple Availability Zones as the target
A leasing company generates and emails PDF statements every month for all its customers. Each statement is about 400 KB in size Customers can download their statements from the website for up to 30 days from when the statements were generated At the end of their 3-year lease, the customers are emailed a ZIP file that contains all the statements
What is the MOST cost-effective storage solution for this situation?
- A . Store the statements using the Amazon S3 Standard storage class Create a lifecycle policy to move the statements to Amazon S3 Glacier storage after 1 day.
- B . Store the statements using the Amazon S3 Glacier storage class Create a lifecycle policy to move the statements to Amazon S3 Glacier Deep Archive storage after 30 days.
- C . Store the statements using the Amazon S3 Standard storage class Create a lifecycle policy to move the statements to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) storage after 30 days.
- D . Store the statements using the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Create a lifecycle policy to move the statements to Amazon S3 Glacier storage after 30 days.
A company is implementing new data retention policies for all databases that run on Amazon RDS DB instances. The company must retain daily backups for a minimum period of 2 years. The backups must be consistent and restorable.
Which solution should a solutions architect recommend to meet these requirements?
- A . Create a backup vault in AWS Backup to retain RDS backups. Create a new backup plan with a daily schedule and an expiration period of 2 years after creation. Assign the RDS DB instances to the backup plan.
Configure a backup window for the RDS DB Instances for daily snapshots. Assign a snapshot retention policy of 2 years to each RDS DB instance. Use Amazon Data Lifecycle Manager (Amazon DLM) - B . to schedule snapshot deletions.
- C . Configure database transaction logs to be automatically backed up to Amazon CloudWatch Logs with an expiration period of 2 years
- D . Configure an AWS Database Migration Service (AWS DMS) replication task. Deploy a replication instance, and configure a change data capture (CDC) task to stream database changes to Amazon S3 as the target Configure S3 Lifecycle policies to delete the snapshots after 2 years.
A company is hosting an application in its own data center. The application uses Amazon S3 for data storage. The application transfers several hundred terabytes of data every month to and from Amazon S3. The company needs to minimize the cost of this data transfer
Which solution meets this requirement?
- A . Establish an AWS Direct Connect connection between the AWS Region in use and the company’s data center Route traffic to Amazon S3 over the Direct Connect connection
- B . Establish an AWS Site-to-Site VPN connection between the company’s data center and a VPC in the AWS Region in use. Create a VPC endpoint for Amazon S3 in the VPC. Route traffic to Amazon S3 over the VPN connection to the S3 endpoint.
- C . Create an AWS Storage Gateway file gateway Deploy the software appliance in the company’s data center Configure the application to use the file gateway to store and retrieve files
- D . Create an FTPS server by using AWS Transfer Family. Configure the application to use the FTPS server to store and retrieve files
A company needs a storage solution for an application that runs on a high performance computing (HPC) cluster. The cluster is hosted on AWS Fargate for Amazon Elastic Container Service (Amazon ECS). The company needs a mountable file system that provides concurrent access to files while delivering hundreds of GBps of throughput at sub-millisecond latencies
Which solution meets these requirements?
- A . Create an Amazon FSx for Lustre file share for the application data Create an IAM role that allows Fargate to access the FSx for Lustre file share
- B . Create an Amazon Elastic File System (Amazon EFS) file share for the application data. Create an IAM role that allows Fargate to access the EFS file share.
- C . Create an Amazon S3 bucket for the application data. Create an S3 bucket policy that allows Fargate to access the S3 bucket
- D . Create an Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io2) volume for the application data Create an IAM role that allows Fargate to access the volume.
A company has applications that are deployed in multiple AWS Regions. The applications use an architecture that is based on Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS). and Amazon DynamoDB
The company lacks a mechanism for centralized data backup. A solutions architect must centralize data backup with the least possible operational effort.
What should the solutions architect do to meet these requirements?
- A . Tag all resources by project Use AWS Systems Manager to set up snapshots by project and set DynamoDB incremental backups.
- B . Tag all resources by project. Create backup plans in AWS Backup to back up the data by tag name according to each project’s needs.
- C . Tag all resources by project Create an AWS Lambda function to run on schedule and take snapshots of each EC2 instance. EBS volume, and EFS file system by project Configure the function to invoke DynamoDB on-demand backup.
- D . Use AWS CloudFormation to create a template for every new project so that all resources can be recreated at any time. Set the template to take daily snapshots of each EC2 instance r EBS volume and EFS file system Set the template to use DynamoDB on-demand backup for daily backups
An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?
- A . Use a simple scaling policy to dynamically scale the Auto Scaling group
- B . Use a target tracking policy to dynamically scale the Auto Scaling group
- C . Use an AWS Lambda function to update the desired Auto Scaling group capacity.
- D . Use scheduled scaling actions to scale up and scale down the Auto Scaling group
A company runs a web application that is backed by Amazon RDS. A new database administrator caused data loss by accidentally editing information in a database table To help recover from this type of incident, the company wants the ability to restore the database to its state from 5 minutes before any change within the last 30 days.
Which feature should the solutions architect include in the design to meet this requirement?
- A . Read replicas
- B . Manual snapshots
- C . Automated backups
- D . Multi-AZ deployments
A company is running an application on Amazon EC2 instances. Traffic to the workload increases substantially during business hours and decreases afterward. The CPU utilization of an EC2 instance is a strong indicator of end-user demand on the application. The company has configured an Auto Scaling group to have a minimum group size of 2 EC2 instances and a maximum group size of 10 EC2 instances.
The company is concerned that the current scaling policy that is associated with the Auto Scaling group might not be correct. The company must avoid over-provisioning EC2 instances and incurring unnecessary costs.
What should a solutions architect recommend to meet these requirements?
- A . Configure Amazon EC2 Auto Scaling to use a scheduled scaling plan and launch an additional 8 EC2 instances during business hours.
- B . Configure AWS Auto Scaling to use a scaling plan that enables predictive scaling. Configure predictive scaling with a scaling mode of forecast and scale, and to enforce the maximum capacity setting during scaling.
- C . Configure a step scaling policy to add 4 EC2 instances at 50% CPU utilization and add another 4 EC2 instances at 90% CPU utilization. Configure scale-in policies to perform the reverse and remove EC2 instances based on the two values.
- D . Configure AWS Auto Scaling to have a desired capacity of 5 EC2 instances, and disable any existing scaling policies. Monitor the CPU utilization metric for 1 week. Then create dynamic scaling policies that are based on the observed values.
A company’s packaged application dynamically creates and returns single-use text files in response to user requests. The company is using Amazon CloudFront for distribution^ but wants to further reduce data transfer costs. The company cannot modify the application’s source code
What should a solutions architect do to reduce costs?
- A . Use Lambda@Edge to compress the files as they are sent to users.
- B . Enable Amazon S3 Transfer Acceleration to reduce the response times
- C . Enable caching on the CloudFront distribution to store generated files at the edge.
- D . Use Amazon S3 multipart uploads to move the files to Amazon S3 before returning them to users
A solutions architect must provide a fully managed replacement for an on-premises solution that allows employees and partners to exchange files. The solution must be easily accessible to employees connecting from on-premises systems, remote employees, and external partners
Which solution meets these requirements?
- A . Use AWS Transfer for SFTP to transfer files into and out of Amazon S3.
- B . Use AWS Snowball Edge for local storage and large-scale data transfers
- C . Use Amazon FSx to store and transfer files to make them available remotely.
- D . Use AWS Storage Gateway to create a volume gateway to store and transfer files to Amazon S3
What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
- A . Update the bucket policy to deny if the PutObject does not have an s3 x-amz-acl header set
- B . Update the bucket policy to deny if the PutObject does not have an s3:x-amz-aci header set to private.
- C . Update the bucket policy to deny if the PutObject does not have an aws SecureTransport header set to true
- D . Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
A company receives data from millions of users totalling about 1 TB each day. The company providers its users with usage report going back 12 months. All usage data must be stored for at least 5 years to comply with regularly and auditing requirement?
Which storage solution is MOST cost-effective?
- A . Store the data in Amazon S3 Standard Set a lifecycle Set a lifecycle rule to transmission the data S3 Glacier Deep after 1 year. Set a lifecycle rule to data the data after 5 years.
- B . Store the data in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) Set a lifecycle rule to transition the data to S3 Glacier after 1 year set the lifecycle rule to delete the data after 5 years.
- C . Store the data in Amazon Standard Set a lifecycle rule to transmission the data to S3 Standard-infrequence Access (S3 Standard-IA) after 1 year Set a lifecycle rule to delete the data after 5 years.
- D . Store the data in Amazon S3 Standard Set a lifecycle rule to transition the data to S3 Zone-Infrequent Access (S3 One Zones-IA) after 1 year. Set a lifecycle rule to delete the data after 5 years.
A company has been running a web application with an Oracle relational database in an on-premises data center for the past 15 years. The company must migrate the database to AWS. The company needs to reduce operational overhead without having to modify the application’s code.
Which solution meets these requirements?
- A . Use AWS Database Migration Service (AWS DMS) to migrate the database servers to Amazon RDS.
- B . servers.
- C . Use AWS Database Migration Service (AWS DMS) to migrate the database servers to Amazon DynamoDB.
- D . Use an AWS Snowball Edge Storage Optimized device to migrate the data from Oracle to Amazon Aurora.
A company has a stateless web application that runs on AWS Lambda functions that are invoked by Amazon API Gateway. The company wants to deploy the application across multiple AWS Regions to provide Regional failover capabilities.
What should a solutions architect do to route traffic to multiple Regions?
- A . Configure Amazon Route 53 health checks for each Region. Use an active-active failover configuration.
- B . Create an Amazon CloudFront distribution with an origin for each Region. Use CloudFront health checks to route traffic.
- C . Create an AWS Transit Gateway Attach the transit gateway to the API Gateway endpoint in each Region Configure the transit gateway to route requests.
- D . Use AWS Global Accelerator to create an accelerator with endpoints in each Region. Allow Global Accelerator to automatically monitor the health of endpoints and route requests.
A computer is reviewing a recent migration of a three-tier application to a VPC. The security team discover that the principle of lest privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers.
What should a solution architect do to connect issue?
- A . Create security group rules using the instance ID as the source destination.
- B . Create security group rules using the security ID as the source or destination.
- C . Create security group rules using the VPC CDR blocks as the source or destination
- D . Create security group rules using the subnet CDR blocks as the source or destination
C
Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html
A company needs to store 160TB of data for an indefinite of time. The company must be able to use standard SQL and business intelligence tools to query all of the data. The data will be queried no more than twice each month.
What is the MOST cost-effective solution that meets these requirements?
- A . Store the data in Amazon Aurora Serverles with MySQL. Use an SQL client to query the data.
- B . Store the data in Amazon S3. Use AWS Glue. Amazon Athena. IDBC and COBC drivers to query the data.
- C . Store the data in an Amazon EMR cluster with EMR File System (EMRFS) as the storage layer use Apache Presto to query the data.
- D . Store a subnet of the data in Amazon Redshift, and store the remaining data in Amazon S3. Use Amazon Redshift Spectrum to query the S3 data.
A medical records company is hosting an application on Amazon EC2 instances. The application processes customer data files that are stored on Amazon S3. The EC2 instances are hosted in public subnets. The EC2 instances access Amazon S3 over the internet, but they do not require any other network access.
A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the internet.
Which change to the network architecture should a solutions architect recommend to meet this requirement"?
- A . Create a NAT gateway. Configure the route table for the public subnets to send traffic to Amazon S3 through the NAT gateway.
- B . Configure the security group for the EC2 instances to restrict outbound traffic so that only traffic to the S3 prefix list is permitted.
- C . Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table for the private subnets
- D . Remove the internet gateway from the VPC. Set up an AWS Direct Connect connection, and route traffic to Amazon S3 over the Direct Connect connection.
A company runs a multi-tier web application that hosts news content. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones and use an Amazon Aurora database A solutions architect needs to make the application more resilient to periodic increases in request rates.
Which architecture should the solutions architect implement? (Select TWO.)
- A . Add AWS Shield
- B . Add Aurora Replicas.
- C . Add AWS Direct Connect
- D . Add AWS Global Accelerator.
- E . Add an Amazon CloudFront distribution in front of the Application Load Balancer
A company’s website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The website has a mix of dynamic and static content. Users around the globe are reporting that the website is slow
Which set of actions will improve website performance for users worldwide?
- A . Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon Route 53 record to point to the CloudFront distribution
- B . Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger instance sizes and register the instances with the ALB
- C . Launch new EC2 instances hosting the same web application in different Regions closer to the users. Then register the instances with the same ALB using cross-Region VPC peering.
- D . Host the website in an Amazon S3 bucket in the Regions closest to the users and delete the ALB and EC2 instances. Then update an Amazon Route 53 record to point to the S3 buckets.
A company operates a website on Amazon EC2 Linux instances Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this.
What should a solutions architect recommend?
- A . Configure an Amazon CloudWatch SwapUsage metric dimension Monitor the SwapUsage dimension in the EC2 metrics in CloudWatch.
- B . Use EC2 metadata to collect information, then publish it to Amazon CloudWatch custom metrics Monitor SwapUsage metrics in CloudWatch
- C . Install an Amazon CloudWatch agent on the instances. Run an appropriate script on a set schedule. Monitor SwapUtilization metrics in CloudWatch
- D . Enable detailed monitoring in the EC2 console Create an Amazon CloudWatch SwapUtilization custom metric Monitor SwapUtilization metrics in CloudWatch
A manufacturing company has machine sensors that upload csv files to an Amazon S3 bucket These csv files must be converted into images and must be made available as soon as possible for the automatic generation of graphical reports.
The images become irrelevant after 1 month, but the csv files must be kept to train machine learning (ML) models twice a year. The ML trainings and audits are planned weeks in advance.
Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO)
- A . Launch an Amazon EC2 Spot Instance that downloads the .csv files every hour, generates the image files, and uploads the images to the S3 bucket.
- B . Design an AWS Lambda function that converts the .csv files into images and stores the images in the S3 bucket Invoke the Lambda function when a csv file is uploaded.
- C . Create S3 Lifecycle rules for .csv files and image files in the S3 bucket Transition the csv files from S3 Standard to S3 Glacier 1 day after they are uploaded. Expire the image files after 30 days.
- D . Create S3 Lifecycle rules for csv files and image files in the S3 bucket Transition the csv files from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) 1 day after they are uploaded Expire the image files after 30 days
- E . Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the csv files from S3 Standard to S3 Standard-Infrequent Access (S3 Standard-IA) 1 day after they are uploaded. Keep the image files in Reduced Redundancy Storage (RRS).
A company has deployed a multiplayer game for mobile devices. The game requires live location tracking of players based on latitude and longitude. The data store for the game must support rapid updates and retrieval of locations.
The game uses an Amazon RDS for PostgreSQL DB instance with read replicas to store the location data. During peak usage periods, the database is unable to maintain the performance that is needed for reading and writing updates. The game’s user base is increasing rapidly.
What should a solutions architect do to improve the performance of the data tier?
- A . Take a snapshot of the existing DB instance. Restore the snapshot with Multi-AZ enabled.
- B . Migrate from Amazon RDS to Amazon Elasticsearch Service (Amazon ES) with Kibana.
- C . Deploy Amazon DynamoDB Accelerator (DAX) in front of the existing DB instance. Modify the game to use DAX.
- D . Deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance. Modify the game to use Redis.
An application running on AWS uses an Amazon Aurora Multi-AZ deployment for its database When evaluating performance metrics, a solutions architect discovered that the database reads are causing high I/O and adding latency to the write requests against the database
What should the solutions architect do to separate the read requests from the write requests?
- A . Enable read-through caching on the Amazon Aurora database.
- B . Update the application to read from the Multi-AZ standby instance
- C . Create a read replica and modify the application to use the appropriate endpoint.
- D . Create a second Amazon Aurora database and link it to the primary database as a read replica
A company captures ordered clickstream data from multiple websites and uses batch processing to analyze the data. The company receives 100 million event records, all approximately 1 KB in size, each day. The company loads the data into Amazon Redshift each night, and business analysts consume the data.
The company wants to move toward near-real-time data processing for timely insights. The solution should process the streaming data while requiring the least possible operational overhead.
Which combination of AWS services will meet these requirements MOST cost-effectively? (Select TWO.)
- A . Amazon EC2
- B . AWS Batch
- C . Amazon Simple Queue Service (Amazon SQS)
- D . Amazon Kinesis Data Firehose
- E . Amazon Kinesis Data Analytics
A company recently implemented hybrid cloud connectivity using AWS Direct Connect and is migrating data to Amazon S3. The company is looking for a fully managed solution that will automate and accelerate the replication of data between the on-premises storage systems and AWS storage services.
Which solution should a solutions architect recommend to keep the data private?
- A . Deploy an AWS DataSync agent for the on-premises environment Configure a sync job to replicate the data and connect it with an AWS service endpoint
- B . Deploy an AWS DataSync agent for the on-premises environment. Schedule a batch job to replicate point-in-time snapshots to AWS.
- C . Deploy an AWS Storage Gateway volume gateway for the on-premises environment. Configure it to store data locally, and asynchronously back up point-in-time snapshots to AWS.
- D . Deploy an AWS Storage Gateway file gateway for the on-premises environment Configure it to store data locally, and asynchronously back up point-m-time snapshots to AWS.
A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider A solutions architect must devise a strategy that maximizes security without increasing operational overhead
What should the solutions architect do to meet these requirements?
- A . Deploy a NAT instance in the VPC Route all the internet-based traffic through the NAT instance
- B . Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
- C . Configure an internet gateway and attach it to the VPC Modify the private subnet route table to direct internet-bound traffic to the internet gateway
- D . Configure a virtual private gateway and attach it to the VPC Modify the private subnet route table to direct internet-bound traffic to the virtual private gateway.
A company has an application that collects data from loT sensors on automobiles. The data is streamed and stored in Amazon S3 through Amazon Kinesis Date Firehose. The data produces trillions of S3 objects each year. Each morning, the company uses the data from the previous 30 days to retrain a suite of machine learning (ML) models.
Four times each year, the company uses the data from the previous 12 months to perform analysis and train other ML models. The data must be available with minimal delay for up to 1 year. After 1 year, the data must be retained for archival purposes.
Which storage solution meets these requirements MOST cost-effectively?
- A . Use the S3 Intelligent-Tiering storage class. Create an S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 1 year
- B . Use the S3 Intelligent-Tiering storage class. Configure S3 Intelligent-Tiering to automatically move objects to S3 Glacier Deep Archive after 1 year.
- C . Use the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Create an S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 1 year.
- D . Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days, and then to S3 Glacier Deep Archive after 1 year.
A company needs to connect its on-premises data center network to a new VPC. The data center network has a 100 Mbps symmetrical internet connection. An application that is running on premises will transfer multiple gigabytes of data each day. The application will use an Amazon Kinesis Data Firehose delivery stream for processing
What should a solutions architect recommend for maximum performance?
- A . Create a VPC peering connection between the on-premises network and the VPC Configure routing for the on-premises network to use the VPC peering connection.
- B . Procure an AWS Snowball Edge Storage Optimized device. After several days’ worth of data has accumulated, copy the data to the device and ship the device to AWS for expedited transfer to Kinesis Data Firehose Repeat as needed
- C . Create an AWS Site-to-Site VPN connection between the on-premises network and the VPC Configure BGP routing between the customer gateway and the virtual private gateway. Use the VPN connection to send the data from on premises to Kinesis Data Firehose.
- D . Use AWS PrivateLink to create an interface VPC endpoint for Kinesis Data Firehose in the VPC. Set up a 1 Gbps AWS Direct Connect connection between the on-premises network and AWS Use the PrivateLink endpoint to send the data from on premises to Kinesis Data Firehose.
A company hosts an application on AWS. The application interacts with an Amazon DynamoDB table that has 10 read capacity units (RCUs) Data from Amazon CloudWatch alarms shows that throttling is occurring on read requests to the DynamoDB table. The company needs to prevent this issue from happening in the future as the application continues to grow.
What should a solutions architect recommend to meet these requirements?
- A . Add an Elastic Load Balancer in front of the DynamoDB table.
- B . Change the RCUs for the DynamoDB table to 20.
- C . Provision 20 write capacity units (WCUs) for the DynamoDB table to offset the throttling on read requests.
- D . Enable auto scaling for the DynamoDB table
A company has an application that uses Amazon Elastic File System (Amazon EFS) to store data. The files are 1 GB in size or larger and are accessed often only for the first few days after creation. The application data is shared across a cluster of Linux servers. The company wants to reduce storage costs for the application.
What should a solutions architect do to meet these requirements?
- A . Implement Amazon FSx and mount the network drive on each server
- B . Move the files from Amazon EFS and store them locally on each Amazon EC2 instance
- C . Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days.
- D . Move the files to Amazon S3 with S3 Lifecycle policies enabled. Rewrite the application to support mounting the S3 bucket
An ecommerce company is creating an application that requires a connection to a third-party payment service to process payments. The payment service needs to explicitly allow the public IP address of the server that is making the payment request. However, the company’s security policies do not allow any server to be exposed directly to the public internet.
Which solution will meet these requirements?
- A . Provision an Elastic IP address. Host the application servers on Amazon EC2 instances in a private subnet. Assign the public IP address to the application servers.
- B . Create a NAT gateway in a public subnet. Host the application servers on Amazon EC2 instances in a private subnet Route payment requests through the NAT gateway.
- C . Deploy an Application Load Balancer (ALB). Host the application servers on Amazon EC2 instances in a private subnet. Route the payment requests through the ALB.
- D . Set up an AWS Client VPN connection to the payment service Host the application servers on Amazon EC2 instances in a private subnet Route the payment requests through the VPN.
A social media company is building a feature tor its website. The feature will give users the ability to upload photos. The company expects significant increases in demand during large events and must ensure that the website can handle the upload traffic from users.
Which solution meets these requirements with the MOST scalability?
- A . Upload files from the user’s browser to the application servers Transfer the files to an Amazon S3 bucket.
- B . Provision an AWS Storage Gateway file gateway. Upload files directly from the user’s browser to the file gateway.
- C . Generate Amazon S3 presigned URLs in the application. Upload files directly from the user’s browser into an S3 bucket
- D . Provision an Amazon Elastic File System (Amazon EFS) file system. Upload files directly from the user’s browser to the file system.
A company has developed a microservices application. It uses a client-facing API with Amazon API Gateway and multiple internal services hosted on Amazon EC2 instances to process user requests. The API is designed to support unpredictable surges in traffic, but internal services may become overwhelmed and unresponsive for a period of time during surges A solutions architect needs to design a more reliable solution that reduces errors when internal services become unresponsive or unavailable
Which solution meets these requirements?
- A . Use AWS Auto Scaling to scale up internal services when there is a surge in traffic
- B . Use different Availability Zones to host internal services. Send a notification to a system administrator when an internal service becomes unresponsive.
- C . Use an Elastic Load Balancer to distribute the traffic between internal services Configure Amazon CloudWatch metrics to monitor traffic to internal services.
- D . Use Amazon Simple Queue Service (Amazon SQS) to store user requests as they arrive. Change the internal services to retrieve the requests from the queue for processing.
A solutions architect is designing a multi-tier application for a company. The application’s users upload images from a mobile device. The application generates a thumbnail of each image and returns a message to the user to confirm that the image was uploaded successfully.
The thumbnail generation can take up to 60 seconds, but the company wants to provide a faster response time to its users to notify them that the original image was received. The solutions architect must design the application to asynchronously dispatch requests to the different application tiers.
What should the solutions architect do to meet these requirements?
- A . Write a custom AWS Lambda function to generate the thumbnail and alert the user. Use the image upload process as an event source to invoke the Lambda function.
- B . Create an AWS Step Functions workflow Configure Step Functions to handle the orchestration between the application tiers and alert the user when thumbnail generation is complete
- C . Create an Amazon Simple Queue Service (Amazon SQS) message queue. As images are uploaded, place a message on the SQS queue for thumbnail generation. Alert the user through an application message that the image was received
- D . Create Amazon Simple Notification Service (Amazon SNS) notification topics and subscriptions Use one subscription with the application to generate the thumbnail after the image upload is complete. Use a second subscription to message the user’s mobile app by way of a push notification after thumbnail generation is complete.
A company has an ecommerce application that stores data in an on-premises SQL database. The company has decided to migrate this database to AWS. However, as part of the migration, the company wants to find a way to attain sub-millisecond responses to common read requests
A solutions architect knows that the increase in speed is paramount and that a small percentage of stale data returned in the database reads is acceptable.
What should the solutions architect recommend’?
- A . Build Amazon RDS read replicas.
- B . Build the database as a larger instance type.
- C . Build a database cache using Amazon ElastiCache
- D . Build a database cache using Amazon Elasticsearch Service (Amazon ES).
A company uses a payment processing system that requires messages for a particular payment ID to be received in the same order that they were sent Otherwise, the payments might be processed incorrectly.
Which actions should a solutions architect take to meet this requirement? (Select TWO.)
- A . Write the messages to an Amazon DynamoDB table with the payment ID as the partition key
- B . Write the messages to an Amazon Kinesis data stream with the payment ID as the partition key.
- C . Write the messages to an Amazon ElastiCache for Memcached cluster with the payment ID as the key
- D . Write the messages to an Amazon Simple Queue Service (Amazon SQS) queue Set the message attribute to use the payment ID
- E . Write the messages to an Amazon Simple Queue Service (Amazon SQS) FIFO queue.
Set the message group to use the payment ID.
A company is developing a new online gaming application. The application will run on Amazon EC2 instances in multiple AWS Regions and will have a high number of globally distributed users A solutions architect must design the application to optimize network latency for the users.
Which actions should the solutions architect take to meet these requirements? (Select TWO.)
- A . Configure AWS Global Accelerator Create Regional endpoint groups in each Region where an EC2 fleet is hosted
- B . Create a content delivery network (CDN) by using Amazon CloudFront Enable caching for static and dynamic content, and specify a high expiration period
- C . Integrate AWS Client VPN into the application. Instruct users to select which Region is closest to them after they launch the application. Establish a VPN connection to that Region
- D . Create an Amazon Route 53 weighted routing policy Configure the routing policy to give the highest weight to the EC2 instances in the Region that has the largest number of users.
- E . Configure an Amazon API Gateway endpoint in each Region where an EC2 fleet is hosted Instruct users to select which Region is closest to them after they launch the application. Use the API Gateway endpoint that is closest to them.
A company has a service that produces event data. The company wants to use AWS to process the event data as it is received. The data is written in a specific order that must be maintained throughout processing. The company wants to implement a solution that minimizes operational overhead.
How should a solutions architect accomplish this?
- A . Create an Amazon Simple Queue Service (Amazon SQS) FIFO queue to hold messages Set up an AWS Lambda function to process messages from the queue
- B . Create an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications containing payloads to process Configure an AWS Lambda function as a subscriber.
- C . Create an Amazon Simple Queue Service (Amazon SQS) standard queue to hold messages. Set up an AWS Lambda function to process messages from the queue independently
- D . Create an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications containing payloads to process. Configure an Amazon Simple Queue Service (Amazon SQS) queue as a subscriber.
A solution architect is designing a new service behind API Gateway. The request pattern for the service will be unpredictable and can change suddenly from 0 request to over 500 per second. The total size of the data that needs to be persisted database is currently less than 1 GB unpredictable future growth. Date can be queried using sampling key Cvalue request.
Which combination of AWS services would meet these requirements? (Select TWO.)
- A . AWS Fargete
- B . AWS Lambda
- C . Amazon DynamoDB
- D . Amazon EC2 Auto Scaling
- E . MySQL-compatible Amazon Aurora
A solution architect at a company is designing the architecture for a two-tiered web application. The web application is composed of an internet facing application load balancer that forwards traffic to an auto scaling group of amazon EC2 instances. The EC2 instances must be able to access a database that runs on Amazon RDS.
The company has requested a defence-in-depth approach to the network layout. The company does not want to rely solely on security groups or network ACLs. Only the minimum resources that are necessary should be routable from the internet.
Which network design should the solutions architect recommend to meet these requirements?
- A . Place the ALB, EC2 instances and RDS database in private subnets.
- B . Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets
- C . Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets
- D . Place the ALB outside the VPC. Place the EC2 instances and RDS database in private subnets.
A company is running a multi-tier web application on premises. The web application is containerized and runs on a number of Linux hosts connected to a PostgreSQL database that contains user records. The operational overhead of maintaining the infrastructure and capacity planning is limiting the company’s growth A solutions architect must improve the application’s infrastructure.
Which combination of actions should the solutions architect take to accomplish this? (Select TWO.)
- A . Migrate the PostgreSQL database to Amazon Aurora
- B . Migrate the web application to be hosted on Amazon EC2 instances.
- C . Set up an Amazon CloudFront distribution for the web application content.
- D . Set up Amazon ElastiCache between the web application and the PostgreSQL database.
- E . Migrate the web application to be hosted on AWS Fargate with Amazon Elastic Container Service (Amazon ECS).
A healthcare computer stores highly sensitive records. Compliance requires that multiple copies be stored in different locations. Each record must be stored for 7 years. The company has a service level agreement (SLA) to provide records to government agencies immediately for the first 30 days and thin within 4 hours of a request thereafter.
What should a solutions architect recommend?
- A . Use Amazon S3 with cross-Region Region replication enabled. After 30 days. Transition the data to Amazon S3 Glacier using lifecycle policy.
- B . Use Amazon S3 with cross-origin resource sharing (CCRS) enabled. After 30 days. Transition on the data to Amazon S3 Glacier using a lifecycle policy.
- C . Use Amazon S3 with cross-origin replication enabled. After 30 days, transition the data to Amazon S3 Glacier Deep Archive a lifecycle policy.
- D . Use Amazon S3 with cross-origin resource sharing (CCRS) enabled. After 30 days, transition on the data to Amazon S3 Glacier Deep Archive using a lifecycle policy.
A solutions architect is designing the architecture for a new web application. The application will run on AWS Fargate containers with an Application Load Balancer (ALB) and an Amazon Aurora PostgreSQL database. The web application will perform primarily read queries against the database.
What should the solutions architect do to ensure that the website can scale with increasing traffic? (Select TWO.)
- A . Enable auto scaling on the ALB to scale the load balancer horizontally.
- B . Configure Aurora Auto Scaling to adjust the number of Aurora Replicas in the Aurora cluster dynamically.
- C . Enable cross-zone load balancing on the ALB to distribute the load evenly across containers in all Availability Zones.
- D . Configure an Amazon Elastic Container Service (Amazon ECS) cluster in each Availability Zone to distribute the load across multiple Availability Zones.
- E . Configure Amazon Elastic Container Service (Amazon ECS) Service Auto Scaling with a target tracking scaling policy that is based on CPU utilization.
A company is building a mobile app on AWS. The company wants to expand its reach to millions of users. The company needs to build a platform so that authorized users can watch the company’s content on their mobile devices
What should a solutions architect recommend to meet these requirements?
- A . Publish content to a public Amazon S3 bucket. Use AWS Key Management Service (AWS KMS) keys to stream content.
- B . Set up IPsec VPN between the mobile app and the AWS environment to stream content
- C . Use Amazon CloudFront Provide signed URLs to stream content.
- D . Set up AWS Client VPN between the mobile app and the AWS environment to stream content.
A company’s database is hosted on an Amazon Aurora MySQL DB cluster in the us-east-1 Region. The database is 4 TB in size. The company needs to expand its disaster recovery strategy to the us-west-2 Region. The company must have the ability to fail over to us-west-2 with a recovery time objective (RTO) of 15 minutes.
What should a solutions architect recommend to meet these requirements?
- A . Create a Multi-Region Aurora MySQL DB cluster in us-east-1 and us-west-2 Use an Amazon Route 53 health check to monitor us-east-1 and fail over to us-west-2 upon failure
- B . Take a snapshot of the DB cluster in us-east-1. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function upon receipt of resource events Configure the Lambda function to copy the snapshot to us-west-2 and restore the snapshot in us-west-2 when failure is detected.
- C . Create an AWS CloudFormation script to create another Aurora MySQL DB cluster in us-west-2 in case of failure Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function upon receipt of resource events. Configure the Lambda function to deploy the AWS CloudFormation stack in us-west-2 when failure is detected.
- D . Recreate the database as an Aurora global database with the primary DB cluster in us-east-1 and a secondary DB cluster in us-west-2 Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function upon receipt of resource events Configure the Lambda function to promote the DB cluster in us-west-2 when failure is detected.
A company wants to run an in-memory database for a latency-sensitive application that runs on Amazon EC2 instances. The application processes more than 100,000 transactions each minute and requires high network throughput. A solutions architect needs to provide a cost-effective network design that minimizes data transfer charges.
Which solution meets these requirements?
- A . Launch all EC2 instances in the same Availability Zone within the same AWS Region. Specify a placement group with cluster strategy when launching EC2 instances.
- B . Launch all EC2 instances in different Availability Zones within the same AWS Region. Specify a placement group with partition strategy when launching EC2 instances.
- C . Deploy an Auto Scaling group to launch EC2 instances in different Availability Zones based on a network utilization target.
- D . Deploy an Auto Scaling group with a step scaling policy to launch EC2 instances in different Availability Zones.
A company allows its developers to attach existing IAM policies to existing IAM roles to enable faster experimentation and agility. However, the security operations team is concerned that the developers could attach the existing administrator policy, which would allow the developers to circumvent any other security policies.
How should a solution architect address this issue?
- A . Create an Amazon SNS topic to send an alert every time a developer create a new policy.
- B . Use service control policies to disable IAM across all account in the organizational unit.
- C . Prevent the developers from attaching any policies and duties to the security option team.
- D . Set an IAM permission boundary on the developer IAM role that explicitly denies of attaching the administrator policy
A website runs a web application that receives a burst of traffic each day at noon. The users upload new pictures and context daily, but have complaining of timeout. The architect uses Amazon EC2 Auto Scaling groups, and the custom application consistently takes 1 minutes to initiate upon boot up before responding to user requests.
How should a solutions architect redesign the architect to better respond to changing traffic?
- A . Configure a Network Load Balancer with a slow start configuration.
- B . Configure AWS ElastiCache for Redis to offload direct requests to the servers.
- C . Configure an Auto Scaling step scaling policy with an instance warmup condition.
- D . Configure Amazon CloudFront to use an Application Load Balancer as the origin.
C
Explanation:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-simple-step.html#as-step-scaling-warmup
"If you are creating a step policy, you can specify the number of seconds that it takes for a newly launched instance to warm up. Until its specified warm-up time has expired, an instance is not counted toward the aggregated metrics of the Auto Scaling group. Using the example in the Step Adjustments section, suppose that the metric gets to 60, and then it gets to 62 while the new instance is still warming up. The current capacity is still 10 instances, so 1 instance is added (10 percent of 10 instances). However, the desired capacity of the group is already 11 instances, so the scaling policy does not increase the desired capacity further. If the metric gets to 70 while the new instance is still warming up, we should add 3 instances (30 percent of 10 instances). However, the desired capacity of the group is already 11, so we add only 2 instances, for a new desired capacity of 13 instances"
A company is planning to migrate a TCP-based application into the company’s VPC. The application is publicly accessible on a nonstandard TCP port through a hardware appliance in the company’s data centre. This public endpoint can process up to 3 million requests per second with low latency. The company requires the same level of performance for the new public endpoint in AWS.
What should a solutions architect recommend to meet this requirement?
- A . Deploy a Network Load Balancer (NLB). Configure the NLB to be publicly accessible over the TCP port that the application requires.
- B . Deploy an Application Load Balancer (ALB). Configure the ALB to be publicly accessible over the TCP port that the application requires
- C . Deploy an Amazon CloudFront distribution that listens on the TCP port that the application requires Use an Application Load Balancer as the origin.
- D . Deploy an Amazon API Gateway API that is configured with the TCP port that the application requires. Configure AWS Lambda functions with provisioned concurrency to process the requests.
A company is automating an order management application. The company’s development team has decided to use SFTP to transfer and store the business-critical information files. The files must be encrypted and must be highly available. The files also must be automatically deleted a month after they are created.
Which solution meets these requirements with the LEAST operational overhead?
- A . Configure an Amazon S3 bucket with encryption enabled. Use AWS transfer for SFTP to securely transfer the files to the S3 bucket Apply an AWS Transfer for SFTP file retention policy to delete the files after a month
- B . Install an SFTP service on an Amazon EC2 instance Mount an Amazon Elastic File System (Amazon EFS) file share on the EC2 instance. Enable cron to delete the files after a month
- C . Configure an Amazon Elastic File System (Amazon EFS) file system with encryption enabled. Use AWS Transfer for SFTP to securely transfer the files to the EFS file system. Apply an EFS lifecycle policy to automatically delete the files after a month.
- D . Configure an Amazon S3 bucket with encryption enabled. Use AWS Transfer for SFTP to securely transfer the files to the S3 bucket. Apply S3 Lifecycle rules to automatically delete the files after a month.
A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.
Which action meets these requirements?
- A . Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user
- B . Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
- C . Create a service control policy (SCP) the prohibits changes to CloudTrail, and attach it the developer accounts
- D . Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the master account