Amazon Web Services SAA-C03 AWS Certified Solutions Architect - Associate (SAA-C03) Exam Practice Test

Option Ais the best solution as it leveragesAWS Lambdafor serverless, scalable, and highly available processing and enrichment of clickstream data. Lambda can process the data in real-time, join it with the Aurora database data, and write the enriched results to Amazon S3. FromS3,Amazon Redshift Spectrumcan directly query the enriched data without needing to load the data into Redshift, enabling cost efficiency and high availability.

Why Other Options Are Incorrect:

Option B:EC2 Spot Instances are not guaranteed to be highly available, as Spot Instances can be interrupted at any time. This does not align with the requirement for high availability.

Option C:While ECS with AWS Fargate provides scalability, using EC2 for the COPY command introduces operational overhead and compromises high availability.

Option D:Kinesis Data Firehose and Athena are suitable for querying raw data, but they do not directly support enriching the data by joining with Aurora. This solution fails to meet the requirement for data enrichment.

Key AWS Features Used:

AWS Lambda:Real-time serverless processing with integration capabilities for Aurora and S3.

Amazon S3:Cost-effective storage for enriched data.

Amazon Redshift Spectrum:Direct querying of data stored in S3 without loading it into Redshift.

AWS Documentation References:

AWS Lambda Function Overview

Amazon Redshift Spectrum

Processing Streaming Data with Kinesis Data Streams

Explanation (AWS Docs):

ElastiCache provides an in-memory cache layer for frequently accessed queries, reducing latency and offloading read pressure from the database.

“You can improve database performance by caching frequently accessed data using Amazon ElastiCache.”

— ElastiCache Overview

AWS best practice for a highly available, resilient web application is:

Run EC2 instances in an Auto Scaling group across multiple Availability Zones.

Put an Application Load Balancer (ALB) in front of the Auto Scaling group.

Use CloudWatch alarms and scaling policies for horizontal scaling based on demand.

Option D implements exactly this: a minimum of three instances spread across AZs (resilience to AZ failure), behind an ALB, with automatic horizontal scaling. This provides both elasticity and high availability with good cost efficiency (instances scale out/in based on traffic).

Option A uses only three fixed instances and relies on vertical scaling, which does not scale as well and is less resilient.

Option B overprovisions to nine instances from the start, which is unnecessarily expensive.

Option C keeps all instances in a single AZ, which does not meet resilience requirements.

AWS Secrets Manager is the recommended service for storing database credentials and performing automated rotation. Any Lambda function version or alias can fetch the latest secret value at runtime, ensuring no outdated credentials exist in deployed versions.

Environment variables (Option C) are static per version. Embedding credentials in code (Option B) is insecure and requires redeployment. Parameter Store (Option D) supports rotation but requires more configuration and is not as seamless as Secrets Manager for database credential rotation.

=====================================================

AWS WAF (Web Application Firewall): AWS WAF allows you to create custom rules to block or allow web requests based on conditions that you specify.

Web ACL (Access Control List):

Create a web ACL and associate it with the ALB.

Use IP rule sets to specify the IP addresses of the retail locations that are allowed to access the application.

Security and Flexibility:

AWS WAF provides a scalable way to manage access control, ensuring that only traffic from registered IP addresses is allowed.

You can dynamically update the IP rule sets to add or remove IP addresses as needed.

Operational Simplicity: Using AWS WAF with a web ACL is straightforward and integrates seamlessly with the ALB, providing an efficient solution for managing access control based on IP addresses.

This question is identical to the previous one and the same logic applies. The company needs a KMS key that supports automatic rotation and standard lifecycle controls to disable the key and schedule deletion. These capabilities are provided for customer managed keys in AWS KMS. Automatic rotation is supported for symmetric customer managed KMS keys, which are the typical choice for encrypt/decrypt operations and for integrating with most AWS services that use KMS for data protection.

With automatic rotation enabled, AWS KMS periodically rotates the key material. This reduces operational overhead because the organization does not need to create replacement keys or reconfigure applications on a fixed schedule to satisfy key rotation policies. At the same time, because it is a customer managed key, administrators can disable the key to immediately stop it from being used (for example, during an incident response or compliance action), and they can schedule deletion when the key is no longer needed, following the required waiting period.

Option A does not fit because asymmetric key rotation is not typically supported in the same automatic fashion and asymmetric keys are meant for different cryptographic workflows. Options B and D are invalidly framed: “disabling envelope encryption” is not a practical KMS configuration switch, and envelope encryption is a best-practice pattern rather than an optional feature you toggle off.

Thus, the solution that meets all requirements is C: a symmetric customer managed KMS key with automatic rotation enabled.

Security groups are stateful, but they cannot explicitly deny traffic — only allow.

Network ACLs are stateless and support explicit deny rules.To prevent Application A from sending traffic to Application B, configure a deny outbound rule in the network ACL of Application A’s subnet to block traffic to Application B’s subnet.

“Unlike security groups, network ACLs support both allow and deny rules, enabling you to explicitly block traffic.”

— Network ACLs

This is the correct method to block outbound traffic between subnets.

For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.

This protects against:

Data center failure

Device failure

Location outages

“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.”

— AWS Direct Connect Resiliency Recommendations

Option C follows AWS maximum resiliency model.

AWS Lambda supports functions up to 10 GB of memory and 15 minutes execution time. Each invocation here requires only 1 GB of memory and finishes in 30 seconds, making it an ideal fit for Lambda. Lambda is cost-effective for event-driven, short-duration workloads and requires no infrastructure management. AWS Glue and EMR are better suited for large-scale ETL or distributed processing, which is unnecessary and more costly for this workload.

AWS Documentation Extract:

“AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. You pay only for the compute time you consume. Lambda supports up to 10 GB memory and 15 minutes per invocation.”

(Source: AWS Lambda documentation)

B, D: AWS Glue is intended for ETL on larger datasets or batch jobs, usually with higher operational overhead and cost.

C: EMR is for large-scale distributed processing and is not cost-effective for single, fast, memory-bound jobs.

Amazon Aurora PostgreSQL with Babelfish allows Aurora to understand SQL Server T-SQL and the SQL Server wire protocol. This enables applications to continue using SQL Server drivers, minimizing code changes (Option B).

Migration of schema and data is performed using AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) (Option C), which is the AWS-recommended migration pattern for heterogeneous database migrations.

AWS DMS (Option E) does not rewrite application SQL.

RDS Proxy (Option D) does not translate SQL Server protocols.

Option A requires rewriting application queries, which contradicts the “minimal changes” requirement.

Predictive scaling in EC2 Auto Scaling uses machine learning to analyze historical load and forecast future capacity needs, then pre-scales capacity before the demand occurs. It is specifically designed for recurring, cyclical workloads such as weekly batch jobs.

In this scenario:

The workload pattern is known and recurring (weekly scripted jobs).

The company explicitly does not want to manually analyze trends.

They need capacity to be ready 30 minutes before jobs start.

Predictive scaling lets you:

Set the metric (CPU utilization) and target (60%).

Configure the policy to pre-launch instances 30 minutes in advance, satisfying the requirement automatically with minimal operational overhead.

Dynamic scaling (Option A) reacts after CPU increases, not before.

Scheduled scaling (Option B) requires manual analysis and ongoing adjustment of capacity values.

EventBridge + Lambda (Option D) introduces unnecessary custom logic and still reacts after CPU reaches 60%, not 30 minutes before.

EC2 Image Builder is the AWS-managed service specifically designed to automate the creation, patching, hardening, and testing of AMIs.

For this scenario, best practice is to:

Use EC2 Image Builder pipelines to generate new golden AMIs whenever features are deployed or on a schedule.

Include build components such as update-linux to automatically apply OS security patches and updates during image creation.

Deploy the new AMIs through existing Auto Scaling groups, ensuring that every newly launched instance is already patched and compliant.

This approach:

Prevents OS vulnerabilities from being introduced at deployment time.

Scales across dozens of applications because AMI pipelines are reusable and automated.

Minimizes manual effort and reduces drift between instances.

Amazon Inspector (Option A) identifies vulnerabilities but does not itself patch AMIs.

AWS Backup (Option B) is for data protection, not vulnerability management.

Patch Manager (Option C) patches running instances, but the requirement is to ensure vulnerabilities are not introduced with new AMIs; golden image pipelines with EC2 Image Builder are the recommended solution.

Amazon API Gateway with CloudFront: API Gateway allows you to create, deploy, and manage APIs, while CloudFront provides a CDN to deliver content with low latency and high transfer speeds.

AWS WAF (Web Application Firewall):

AWS WAF can be configured in CloudFront to protect against common web exploits, including SQL injection and cross-site scripting (XSS).

WAF allows you to create custom rules to block specific attack patterns and can be managed centrally.

Configuration:

Deploy your APIs using Amazon API Gateway.

Set up an Amazon CloudFront distribution in front of the API Gateway.

Configure AWS WAF on the CloudFront distribution to apply security rules.

Operational Efficiency: This solution provides robust protection with minimal operational overhead by leveraging managed AWS services, ensuring that your APIs are secure without extensive custom implementation.

Pre-Signed URLs: Allow temporary access to S3 buckets, making it easy to manage time-limited upload permissions without complex operational overhead.

Lambda for Automation: Automatically generates and provides pre-signed URLs when users authenticate, minimizing manual steps and code complexity.

Least Operational Overhead: Requires no custom authentication service or deep integration with STS or Cognito.

Amazon S3 Pre-Signed URLs Documentation

To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.

Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.

Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs. Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.

Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.

To securely migrate an on-premises Oracle database to Amazon Aurora, the following steps are recommended:

Use AWS Schema Conversion Tool (AWS SCT) and AWS Database Migration Service (AWS DMS): AWS SCT helps convert the source database schema to a format compatible with the target database (Aurora). AWS DMS facilitates the actual data migration, ensuring minimal downtime and data integrity.

Use AWS Site-to-Site VPN: Establishing a Site-to-Site VPN connection provides a secure and encrypted tunnel between the on-premises environment and AWS. This ensures that data transferred during the migration is protected against interception and unauthorized access.

AWS recommends using Amazon ElastiCache as an in-memory caching layer in front of relational databases such as Amazon RDS to offload read traffic and significantly improve performance for read-heavy workloads. ElastiCache (Redis OSS) provides microsecond latency and can cache the results of frequent or expensive queries without requiring any change to the underlying database schema or engine. This directly addresses the requirement to improve performance without changing the database structure and with minimal operational overhead, because ElastiCache is a fully managed service (patching, failure detection, replacement, etc., are handled by AWS).

Option A (DynamoDB) would require a full data migration and application changes, including schema and query rewrites.

Option C (Memcached on EC2) introduces additional management overhead for EC2 instances (scaling, patching, HA).

Option D (DAX) is a caching layer only for DynamoDB and cannot be used directly with Amazon RDS.

Converting the existing DynamoDB table to aglobal tableprovides active-active replication and low-latency reads and writes in both Regions. DynamoDB global tables are specifically designed for multi-Region and multi-active use cases.

Option A:GSIs do not provide multi-Region replication or active-active capabilities.

Option B and D:Using DynamoDB Streams and custom replication is less operationally efficient than global tables and introduces additional complexity.

AWS Documentation References:

DynamoDB Global Tables

Why Option C is Correct:

S3 Access Points: Provide scalable management of access to large datasets with specific permissions for individual prefixes.

Dynamic Prefixes: Access points simplify managing access to a growing number of prefixes without relying solely on a single bucket policy.

Fine-Grained Control: Resource-based permissions on access points enforce prefix-level isolation effectively.

Why Other Options Are Not Ideal:

Option A: Using deny/allow bucket policies introduces complexity and is less scalable for dynamic prefixes.

Option B: Encryption ensures data security but does not address access management.

Option D: Pre-signed URLs are temporary and not suitable for managing access at scale.

AWS References:

Amazon S3 Access Points:AWS Documentation - S3 Access Points

Amazon EMR on EC2 supports “runtime roles (application-scoped IAM roles)” so each application/step assumes its own IAM role with least-privilege S3 access. You enable this via an EMR security configuration by setting “EnableApplicationScopedIAMRole = true.” The EMR core/Task nodes run under the cluster’s EC2 instance profile; therefore the instance profile must be permitted to “sts:AssumeRole” into the defined EMR runtime roles, and each runtime role must trust the instance profile (trust policy principal is the instance profile role). This design limits each job’s S3 scope via role policies and enforces per-job access segregation. Option B reverses the trust (incorrect). Option E trusts the EMR service role (not used to assume runtime roles). Option F is unrelated (encryption in transit). The correct trio is to enable application-scoped roles (A), authorize the instance profile to assume them (C), and configure the runtime roles’ trust relationship to allow that assumption (D).

Amazon QLDB is the most cost-effective and suitable service for maintainingimmutable, cryptographically verifiable logsof data changes. QLDB provides a fully managed ledgerdatabase with a built-in cryptographic hash chain, making it ideal for recording changes to accounting records, ensuring data integrity and security.

QLDB reduces operational overhead by offering fully managed services, so there’s no need for server management, and it’s built specifically to ensure immutability and verifiability, making it the best fit for the given requirements.

Option A (Redshift): Redshift is designed for analytics and not for immutable, cryptographically verifiable logs.

Option B (Neptune): Neptune is a graph database, which is not suitable for this use case.

Option C (Timestream): Timestream is a time series database optimized for time-stamped data, but it does not provide immutable or cryptographically verifiable logs.

AWS References:

Amazon QLDB

How QLDB Works

Amazon EFS allows automatic transitions to Infrequent Access (IA) and back to Standard when accessed again using the lifecycle policy.

By specifying the bursting throughput mode, throughput scales automatically with file system size.

“With EFS Lifecycle Management, you can automatically move files to EFS Infrequent Access storage and automatically return them to Standard storage when accessed.”

“The Bursting Throughput mode scales with your file system size.”

— Amazon EFS Lifecycle Management

This option matches all requirements:

Auto transition to IA after 30 days.

Auto transition back to Standard on access.

Bursting throughput for scaling with file system size.

Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) is a fully managed, serverless service for real-time processing of streaming data. You can consume data from Kinesis Data Streams, perform anomaly detection, and then output the results to another Kinesis stream. This approach is loosely coupled, fully managed, and does not require modifying the application code.

AWS Documentation Extract:

“Amazon Managed Service for Apache Flink enables you to process streaming data in real time, integrating with Kinesis Data Streams as source and sink, and is fully managed and serverless.”

(Source: Apache Flink on AWS documentation)

B: S3/Redshift is not real-time and adds complexity.

C, D: EC2/ECS solutions are not serverless or fully managed.

EBS gp3 volumes allow you to independently configure IOPS and throughput, up to 16,000 IOPS, regardless of the volume size, and at a lower cost compared to io1/io2 provisioned IOPS volumes. This meets the requirement for cost-effective, predictable IOPS performance for Amazon RDS for PostgreSQL.

AWS Documentation Extract:

"With gp3 volumes, you can provision performance independent of storage capacity, up to 16,000 IOPS. This allows for cost-effective scaling for applications that require high performance at a lower price point compared to io1."

(Source: Amazon EBS documentation, gp3 Volumes)

A: gp2 ties IOPS to volume size; 5 TiB is wasteful if only 15,000 IOPS are needed.

B: io1 works but is significantly more expensive than gp3 for most workloads.

D: Magnetic volumes do not support high IOPS.

This solution is the most suitable for running cron jobs on AWS with minimal refactoring, while also supporting the possibility of running jobs in response to future events.

Container Image for Cron Jobs: By containerizing the cron jobs, you can package the environment and dependencies required to run the jobs, ensuring consistency and ease of deployment across different environments.

Amazon EventBridge Scheduler: EventBridge Scheduler allows you to create a recurring schedule that can trigger tasks (like running your cron jobs) at specific times or intervals. It provides fine-grained control over scheduling and integrates seamlessly with AWS services.

AWS Fargate: Fargate is a serverless compute engine for containers that removes the need to manage EC2 instances. It allows you to run containers without worrying about the underlying infrastructure. Fargate is ideal for running jobs that can vary in duration, like cron jobs, as it scales automatically based on the task's requirements.

Why Not Other Options?:

Option A (Lambda): While AWS Lambda could handle short-running cron jobs, it has limitations in terms of execution duration (maximum of 15 minutes) and might not be suitable for jobs that run up to 20 minutes.

Option B (AWS Batch on ECS): AWS Batch is more suitable for batch processing and workloads that require complex job dependencies or orchestration, which might be more than what is needed for simple cron jobs.

Option D (Step Functions with Wait State): While Step Functions provide orchestration capabilities, this approach would introduce unnecessary complexity and overhead compared to the straightforward scheduling with EventBridge and running on Fargate.

AWS References:

Amazon EventBridge Scheduler- Details on how to schedule tasks using Amazon EventBridge Scheduler.

AWS Fargate- Information on how to run containers in a serverless manner using AWS Fargate.

When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type "external" or "imported"), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.

You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.

AWS Documentation Extract:

"To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy."

(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)

Other options:

A: You cannot create a new KMS key with the same key ID as an existing one.

B: Deleting and recreating the key disrupts application access because the key ID changes.

D: Automatic rotation is only available for AWS-managed keys, not for imported key material.

Amazon DocumentDB global clusters support managed cross-region failover, allowing you to promote a secondary region to become the new primary with minimal downtime. This ensures business continuity during maintenance or regional disruptions.

Reference Extract:

"Amazon DocumentDB global clusters support managed cross-Region failover, allowing you to recover quickly from regional disruptions with minimal downtime."

Source: AWS Certified Solutions Architect – Official Study Guide, DocumentDB and Resiliency section.

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled(Option A) to preserve object metadata like version IDs during migration.

UseS3 batch operations(Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy(Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS References:

S3 Batch Operations

S3 Lifecycle Policies

Amazon S3 Object Lambda allows you to add your own code to process data retrieved from S3 before it is returned to an application. You can use this to dynamically redact or remove PII for specific applications on-the-fly, eliminating the need to manage multiple buckets or datasets, thus minimizing operational overhead.

Reference Extract:

"S3 Object Lambda enables you to process and transform data as it is retrieved from S3, supporting use cases such as redacting sensitive information before returning data to an application."

Source: AWS Certified Solutions Architect – Official Study Guide, Data Security and Transformation section.

Amazon Route 53 Resolver endpoints allow you to integrate DNS between AWS and on-premises environments easily. By creating inbound and outbound resolver endpoints, you can configure conditional forwarding rules so that DNS queries for your on-premises AD domain are forwarded to the on-premises DNS servers. This approach is fully managed, scales automatically, and requires the least administrative overhead.

AWS Documentation Extract:

"Route 53 Resolver provides DNS resolution between AWS and on-premises environments, using endpoints and forwarding rules to manage DNS query routing seamlessly."

(Source: Route 53 Resolver documentation)

A, D: Require provisioning, managing, and patching EC2 servers or domain controllers.

B: NS records in a private hosted zone do not provide true DNS forwarding.

A: Amazon Macie can scan S3 buckets for sensitive data and identify PII.

C: S3 Object Lock legal hold prevents object deletion until a review is complete, meeting compliance requirements.

E: EventBridge can trigger the Lambda function automatically when Macie detects sensitive data, creating an automated workflow.

AWS Documentation Extract:

"Amazon Macie automatically discovers, classifies, and protects sensitive data in AWS. You can use EventBridge to invoke a Lambda function for post-processing, such as applying Object Lock legal hold to flagged objects."

(Source: AWS Macie and S3 Object Lock documentation)

B, D: Moving to Glacier Deep Archive or applying retention in governance mode is not specific to deletion prevention pending review.

F: MFA Delete adds a security layer but does not automate object retention for flagged PII.

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

Setting the RDS backup retention policy to 30 days forautomated backupsthrough AWS Backup allows the company to retain backups cost-effectively. Manual backups, however, are notautomatically managed by RDS's retention policy, so they need to be manually deleted if they are older than 30 days to avoid unnecessary storage costs.

Key AWS features:

Automated Backups: Can be configured with a retention policy of up to 35 days, ensuring that older automated backups are deleted automatically.

Manual Backups: These are not subject to the automated retention policy and must be manually managed to avoid extra costs.

AWS Documentation: AWS recommends using backup retention policies for automated backups while manually managing manual backups​.

For workloads where tasks are independent and can be processed in parallel, and where minimizing management overhead is a priority, a serverless architecture using AWS Lambda is ideal.

AWS Lambda allows you to run code without provisioning or managing servers. It automatically scales your application by running code in response to each trigger.

Parallel Processing: Lambda functions can process multiple tasks concurrently, making it suitable for parallel workloads.

Automatic Scaling: Lambda automatically scales by running code in response to each event, scaling precisely with the size of the workload.

Minimal Management Overhead: With Lambda, there's no need to manage the underlying infrastructure, reducing operational complexity.Wikipedia

CloudFront Signed URLs: These URLs allow you to provide limited access to content that is being served through an Amazon CloudFront distribution. Signed URLs can be generated to grant time-limited access to premium customers.

Content Restriction:

By using CloudFront signed URLs, you can control access to your media streams and file content stored in S3.

These URLs can be customized with an expiration time, ensuring that access is only available for a specific period, which is useful for scenarios like movie rentals or music downloads.

Security and Flexibility:

Signed URLs ensure that only authenticated users (premium customers) can access the restricted content.

This approach integrates seamlessly with CloudFront and S3, providing an efficient way to manage access controls without additional overhead.

Operational Efficiency: Using CloudFront signed URLs leverages AWS managed services to handle the complexity of access control, reducing the need for custom implementation and maintenance.

For high availability, Amazon ElastiCache for Redis supports Multi-AZ with automatic failover, which provides primary and replica nodes in different Availability Zones. If the primary node fails, Redis automatically promotes a replica to primary.

From AWS Documentation:

“When you enable Multi-AZ with automatic failover, Amazon ElastiCache automatically detects failures and promotes a read replica to primary with minimal downtime.”

(Source: Amazon ElastiCache for Redis User Guide)

Why B is correct:

Multi-AZ provides automatic failover and data replication.

Ensures continuous availability and protects against node or AZ failures.

Fully managed with no manual intervention needed.

Why others are incorrect:

A: Manual promotion is not automatic.

C & D: Restoring from backup is slow and meant for disaster recovery, not failover.

Why Option B is Correct:

HTTP Proxy Integration: Passes XML requests directly to the application, which already supports XML.

JSON Conversion: An AWS Lambda function converts JSON requests to XML and calls the application.

API Gateway: Acts as a front end to handle JSON requests and integrates seamlessly with Lambda for the transformation process.

Why Other Options Are Not Ideal:

Option A: Suggests using API Gateway mappings to convert JSON to XML. API Gateway mapping templates are limited in functionality and are not ideal for complex transformations.

Option C and D: Use HTTP custom integration unnecessarily, which adds complexity without additional benefits.

AWS References:

Amazon API Gateway Integration:AWS Documentation - API Gateway Integration

AWS Lambda:AWS Documentation - Lambda

This workload has two distinct needs: (1) a managed way for external clients to upload files using a familiar managed file transfer protocol, and (2) an automated, low-ops method to run a watermarking step and store the resulting images as objects. AWS Transfer Family provides a fully managed capability to receive files over protocols such as SFTP, while landing those files directly into Amazon S3 as objects. That directly satisfies the requirement that “uploaded images must be stored as objects” with minimal infrastructure management.

To automate watermarking with minimal operational overhead, invoking AWS Lambda is a strong fit. Lambda is serverless and scales automatically with incoming uploads, and it can run the watermarking logic as code without managing servers. Transfer Family supports managed workflows that can orchestrate post-upload actions; using a Transfer Family workflow to invoke a Lambda function provides a clean, managed, event-driven pipeline: clients upload via SFTP → objects land in S3 → workflow triggers watermark processing → output is written back to S3.

Option A adds operational burden by requiring an EC2-based application tier for watermarking, which increases patching and scaling responsibilities. Option B can work (S3 + Batch), but it requires building and operating the upload mechanism (REST APIs) and typically more orchestration than necessary for simple “upload then process” flows; Batch is better when you need large-scale, long-running batch compute rather than lightweight per-object processing. Option D is unsuitable because S3 Glacier Deep Archive is intended for long-term archival with slow retrieval, which conflicts with active workflow processing and watermark automation.

Therefore, C best meets the requirements using managed services end-to-end: Transfer Family for ingestion, S3 for object storage, and Lambda for automated watermarking.

AWS Transit Gateway simplifies network connectivity by acting as a hub that can connect VPCs and on-premises networks through VPN or Direct Connect. It provides scalability and reduces administrative overhead by eliminating the need to manage complex peering relationships as the number of accounts and VPCs grows.

AWS guidance is to cover steady baseline with commitments (Reserved Instances or Savings Plans) and use EC2 Spot Instances for burst capacity to minimize cost. Spot provides up to 90% discounts and is well-suited to fault-tolerant, queue-based workloads; interruptions are handled by replacing capacity automatically while messages remain durably in SQS. Using only Spot (A) risks capacity gaps; only RIs sized for peak (B) wastes cost during low demand. Option D scales on backlog but uses On-Demand for bursts, which is more expensive than Spot. With C, baseline capacity (RIs) keeps processing continuously (no downtime), and Spot adds cost-efficient throughput during spikes, aligning with Well-Architected cost and reliability patterns for queue workers.

Amazon S3 is the most cost-effective option for archiving data. Using AWS DMS to migrate to S3 in Apache Parquet format provides an optimized columnar format for analytics. By storing in S3 Glacier Flexible Retrieval, costs are minimized while maintaining compliance with retention. When queries are required, Athena can run SQL queries directly on archived data in S3 without provisioning infrastructure. Options A and B rely on maintaining RDS or EC2 instances, which increases cost and operational overhead. Option C requires full restores to EC2 before running queries, which is slow and inefficient. Therefore, D provides the lowest operational overhead and direct query capability with Athena.

The Application Load Balancer (ALB) supports sticky sessions (session affinity) using application cookies. AWS WAF integrates natively with ALB to provide Layer 7 protection at the same endpoint.

From AWS Documentation:

“You can enable sticky sessions for your Application Load Balancer target groups to ensure that a user’s requests are consistently routed to the same target. AWS WAF integrates with Application Load Balancer to protect your web applications from common exploits.”

(Source: Elastic Load Balancing User Guide & AWS WAF Developer Guide)

Why C and E are correct:

C: ALB operates at Layer 7 (HTTP/HTTPS), supports sticky sessions, and can serve as a public endpoint.

E: AWS WAF can be directly associated with the ALB to inspect traffic and enforce rules.Together, they fulfill both the security and session affinity requirements.

Why others are incorrect:

A: Network Load Balancer doesn’t support session affinity.

B: Gateway Load Balancer is used for virtual appliances, not web applications.

D: Using EIPs bypasses load balancing and WAF integration.

Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.

Option Arequires the management of IAM temporary credentials, adding complexity.

Option Cinvolves unnecessary development effort.

Option Dintroduces more complexity with STS and roles than pre-signed URLs.

AWS guidance for global, highly available, low-latency applications using a relational database recommends:

Amazon CloudFront with Amazon S3 for static content to cache data at edge locations globally and minimize latency for static assets.

A regional application tier deployed close to users using managed container services such as Amazon ECS on AWS Fargate, which removes the need to manage servers and scales automatically, reducing operational overhead.

A relational database tier using Amazon Aurora global database, which is purpose-built for globally distributed applications. Aurora global database provides a primary cluster in one Region with low-latency read replicas in secondary Regions and fast cross-Region replication, enabling low-latency reads and high availability for global users.

Option A uses only a single Region, which does not meet the “global users with low latency” requirement.

Option C uses RDS and DMS-based replication, which requires more management and does not provide Aurora’s integrated global database features.

Option D replaces the relational database with DynamoDB, which violates the requirement that the application interacts with a relational database.

AWS Firewall Manager integrates with AWS Organizations to centrally manage and apply security group policies, AWS WAF rules, and AWS Shield Advanced protections. It automates the propagation of rules across accounts and Regions and can also audit and remediate noncompliant configurations.

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache for DynamoDB that delivers up to a 10x performance improvement—even at millions of requests per second. DAX requires minimal changes to existing applications and offloads the read workload from DynamoDB during report generation.

Reference Extract:

"DAX provides in-memory acceleration for DynamoDB tables, reducing response times from milliseconds to microseconds with minimal application changes."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Performance section.

The company needs a cloud-based storage solution for frequently accessed data with low latency, while retaining their current on-premises infrastructure for some data storage. AWS Storage Gateway'sVolume Gateway with cached volumesis the most appropriate solution for this scenario.

AWS Storage Gateway - Volume Gateway (Cached Volumes):

Volume Gateway with cached volumesallows you to store frequently accessed data in the AWS Cloud while keeping the most recently accessed data cached locally on-premises. This ensures low-latency access to active data while providing scalability for the rest of the data in the cloud.

The cached volume option stores the primary data in Amazon S3 but caches frequently accessed data locally, ensuring fast access. This configuration is well-suited for applications that require fast access to frequently used data but can tolerate cloud-based storage for the rest.

Since the company is facing limited on-premises storage, cached volumes provide an ideal solution, as they reduce the need for additional on-premises storage infrastructure.

Why Not the Other Options?:

Option A (S3 File Gateway): S3 File Gateway provides a file-based interface (SMB/NFS) for storing data directly in S3. While it is great for file storage, the company’s need for block-level storage with iSCSI targets makes Volume Gateway a better fit.

Option C (Volume Gateway - Stored Volumes): Stored volumes keep all the data on-premises and asynchronously back up to AWS. This would not address the company's storage limitations since they would still need substantial on-premises storage.

Option D (Tape Gateway): Tape Gateway is designed for archiving and backup, not for frequently accessed low-latency data.

AWS References:

AWS Storage Gateway - Volume Gateway

To upload photos to an S3 bucket using Amazon CloudFront with a custom domain name, the following components are required:

ACM in us-east-1 (Option A): When using CloudFront with HTTPS, the SSL/TLS certificate must be created in theus-east-1Region. AWS Certificate Manager (ACM) handles the provisioning, management, and renewal of public certificates, making this a cost-effective and low-maintenance solution.

S3 Transfer Acceleration (Option C): Transfer Acceleration allows faster uploads to S3 from CloudFront by routing traffic through AWS’s edge locations. This significantly speeds up the data upload process, especially for users that are geographically distant from the S3 bucket's region.

Option B (ACM in eu-west-1): CloudFront only supports certificates created in us-east-1.

Option D and E (OAC and website endpoint): These are not ideal for handling secure uploads or efficient data transfers in this case.

AWS References:

Using ACM with CloudFront

Amazon S3 Transfer Acceleration

AWS Config allows for creation of custom rules to monitor EBS configurations. Combined with CloudWatch metrics and Amazon SNS, custom rules can track over-provisioned IOPS and send alerts when thresholds are breached, allowing proactive cost and performance management.

Amazon FSx for Lustre is a high-performance file system optimized for fast processing of workloads such as machine learning, high-performance computing (HPC), and video processing. It integrates natively with Amazon S3, allowing you to:

Access S3 Data: FSx for Lustre can be linked to an S3 bucket, presenting S3 objects as files in the file system.

High Performance: It provides sub-millisecond latencies, high throughput, and millions of IOPS, which are ideal for ML workloads.Amazon Web Services, Inc.

Minimal Operational Overhead: Being a fully managed service, it reduces the complexity of setting up and managing high-performance file systems.

Since the application uses long-lived TCP connections and must remain idle for up to 1 hour without timeout, all components involved in the connection path (ALB, GWLB, and firewall) must have their idle timeout values configured to at least 1 hour.

Gateway Load Balancer supports transparent insertion of firewalls, and configuring consistent idle timeouts ensures connections don’t drop mid-session.

Using just one firewall (option B) introduces a single point of failure. Increasing capacity (option D) doesn't solve idle timeout issues. Therefore, C provides a resilient and complete configuration.

Amazon S3 Standard provides virtually unlimited scalability, high durability (11 nines), and millisecond latency. It is designed for storing large volumes of unstructured content such as media files. S3 also supports pre-signed URLs and direct browser uploads, enabling users to upload files securely without passing through backend servers. EBS volumes (A) are block storage, limited to single AZ, and not suitable for web-scale storage. EFS (B) is a shared file system for POSIX workloads, not for direct browser uploads. S3 Express One Zone (D) offers higher performance for small objects but does not provide cross-AZ durability, making it unsuitable for growing global content. Therefore, option C is the most scalable, durable, and cost-effective solution.

DynamoDB export to Amazon S3 (via point-in-time exports or table backups) “does not consume read capacity” and has no impact on table performance. Once data is in S3, Amazon Redshift can ingest efficiently with COPY from S3, which is the standard, parallel, high-throughput load path with minimal management. Direct COPY from DynamoDB (B) performs a table scan that can consume provisioned throughput, risking throttling. Building Lambda pipelines (C) adds custom code and scheduling overhead. Athena federated queries (D) are ad hoc analytics, not optimized for bulk, recurring warehouse loads. Therefore, exporting to S3 and loading with Redshift COPY maintains DynamoDB throughput and minimizes operational burden.

Export Requirements:

To export data from DynamoDB to Amazon S3, point-in-time recovery (PITR) must be enabled for the tables. This feature creates a snapshot of the data, which is essential for exports.

Incorrect Options Analysis:

Option B: S3 buckets and DynamoDB tables do not need to be in the same region for exports.

Option C: DynamoDB streams are unrelated to the export functionality.

Option D: DAX accelerates reads but has no role in exports.

The workload is Windows-based and requires a shared file system with SMB support and very high throughput for 4K video editing.

Amazon FSx for Windows File Server is a fully managed, highly available native Windows file system that supports the SMB protocol, Active Directory integration, and can deliver high throughput and low latency suitable for media workloads.

FSx for Windows File Server supports automatic storage scaling to grow file system capacity as data increases, matching the requirement of +1 TB per week with minimal admin effort.

A Multi-AZ SSD deployment provides high availability and performance.

Why others are not correct:

B: Amazon EFS is NFS, not SMB, and is optimized for Linux clients, not Windows-based environments.

C: FSx for Lustre is a high-performance POSIX file system typically used with Linux-based HPC workloads, not Windows + SMB.

D: S3 File Gateway is not designed for sustained multi-GB/s shared-edit performance and adds additional complexity; it is more suited for backup/archival and limited shared file access.

A. Fixed desired instances:Does not adapt to traffic load fluctuations, leading to inefficiencies.

B. Larger EC2 instances:Increases costs unnecessarily.

C. Target tracking scaling policy:Adjusts capacity based on actual demand, optimizing costs.

D. Instance store volumes:Not persistent and unsuitable for shared data across instances.

AWS Outposts brings native AWS services (including Amazon EMR) on-premises, ideal when data residency or latency constraints require local processing.

You benefit from AWS’s managed services while meeting the requirement to keep data processing local.

This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

Amazon RDS Proxy is a fully managed database proxy for RDS that makes applications more scalable, more resilient to database failures, and more secure. RDS Proxy pools and shares database connections, allowing applications to open and close connections as needed without overwhelming the database. This is the recommended solution when the application cannot be modified to use connection pooling itself.

AWS Documentation Extract:

"Amazon RDS Proxy helps manage database connections to improve application scalability and performance. It pools connections and shares them among application clients, which can mitigate issues caused by opening and closing many database connections."

(Source: Amazon RDS Proxy documentation)

A: Upgrading the instance does not solve connection inefficiency and can be cost-ineffective.

B: Increasing IOPS only helps if storage is a bottleneck, not if connections are the issue.

D: Multi-AZ improves availability, not connection management.

AWS documentation states that the most secure method for granting private S3 access from VPCs is to use gateway VPC endpoints for Amazon S3. Endpoint policies enforce least privilege by allowing only specific IAM roles access to specific S3 buckets. Because users can obtain temporary credentials through IAM roles, no permanent access keys must be distributed.

S3 bucket policies based on CIDR ranges (Option B) are less secure because CIDR-based access is broader and can grant unintended access. Access points (Option C) still rely on public S3 endpoints unless combined with VPC-only access, which is not stated here. Option D exposes S3 to public internet egress and depends on public IPs, violating least-privilege principles.

=====================================================

Amazon S3 File Gateway (AWS Storage Gateway) exposes an on-premises NFS/SMB file share that durably stores files as S3 objects with local caching, enabling low-latency writes on-premises and asynchronous, near-real-time ingestion into Amazon S3 for analytics. It is purpose-built to “present a file interface backed by Amazon S3” and to “store files as objects in your S3 buckets,” so existing applications writing to a network share can transparently land data in S3 without custom scripts or job orchestration. Compared with scheduled transfers (e.g., end-of-day DataSync), S3 File Gateway continuously uploads new/changed files, better meeting the near-real-time requirement. Transfer Family (SFTP) would require custom polling and client changes, increasing operational burden. DataSync is excellent for bulk or periodic migrations/synchronizations but is not as seamless for continuous ingestion from a live file share. Therefore, updating the application to point to an S3 File Gateway share provides the simplest, performant path to near-real-time delivery into S3 for downstream analytics.

An S3 Bucket Key reduces the cost of using AWS KMS for server-side encryption by decreasing the number of requests made to KMS. By enabling S3 Bucket Key, the company can meet its encryption requirements with KMS keys while optimizing costs by reducing the number of KMS API requests.

Key AWS features:

Cost Optimization: S3 Bucket Keys reduce the frequency of KMS calls, optimizing the cost associated with encryption while still using AWS KMS for key management.

Compliance with KMS Encryption: This solution continues to meet the strict encryption requirements of the company by using KMS managed keys.

AWS Documentation: Using an S3 Bucket Key is recommended for organizations looking to optimize encryption costs without compromising security​​.

Amazon Aurora MySQL supports the SELECT INTO OUTFILE S3 SQL syntax to export query results directly to Amazon S3. This is an efficient and low-overhead method for archiving data.

Once data is in S3, Lifecycle rules can be configured to automatically transition older data to lower-cost storage classes (such as S3 Glacier) or delete it after a defined period, providing a cost-optimized and automated archive solution.

The Glue-based options involve more services and operational overhead. SCT is intended for database migrations, not for periodic data archival.

To meet the requirement of deleting objects older than 3 years while retaining certain data, this solution leverages serverless technologies to minimize operational overhead.

S3 Inventory: S3 Inventory provides a flat file that lists all the objects in an S3 bucket and their metadata, which can be configured to include data such as the last modified date. This inventory can be generated daily or weekly.

AWS Lambda Function: A Lambda function can be created to process the S3 Inventory report, filtering out the objects that need to be retained and identifying those that should be deleted.

S3 Batch Operations: S3 Batch Operations can execute tasks such as object deletion at scale. By invoking the Lambda function through S3 Batch Operations, you can automate the process of deleting the identified objects, ensuring that the solution is serverless and requires minimal operational management.

Why Not Other Options?:

Option A (AWS CLI script on EC2): Running a script on an EC2 instance adds unnecessary operational overhead and is not serverless.

Option B (AWS Batch): AWS Batch is designed for running large-scale batch computing workloads, which is overkill for this scenario.

Option C (AWS Glue + script): AWS Glue is more suited for ETL tasks, and this approach would add unnecessary complexity compared to the serverless Lambda solution.

AWS References:

Amazon S3 Inventory- Information on how to set up and use S3 Inventory.

S3 Batch Operations- Documentation on how to perform bulk operations on S3 objects using S3 Batch Operations.

AWS Global Accelerator is a service that improves global application availability and performance using the AWS global network. It supports both TCP and UDP protocols and provides optimized routing and lower latency for real-time applications such as VoIP, regardless of where the user is located globally.

AWS Documentation Extract:

"AWS Global Accelerator uses the AWS global network to optimize the path to your application endpoints, improving performance for TCP and UDP traffic, such as VoIP."

(Source: AWS Global Accelerator documentation)

B: CloudFront accelerates HTTP/S content, not TCP/UDP.

C: Route 53 geoproximity routing is for DNS-based routing, not for traffic acceleration.

D: Network Load Balancers support TCP/UDP, but do not address global latency or provide acceleration.

Amazon DynamoDB is a serverless, NoSQL database that is fully managed, highly available, and scales automatically. It is ideal for data without a fixed schema and for use cases where fields can vary by user. DynamoDB Streams enables the capture of changes to table items in real time, which is ideal for triggering additional processing or workflows on data modifications.

Reference Extract from AWS Documentation / Study Guide:

"DynamoDB provides a scalable, highly available NoSQL database service for applications requiring flexible schema. DynamoDB Streams captures table activity for processing changes in real time."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Serverless section.

The IAM policy includes two statements:

1️⃣ Allow ec2:TerminateInstances on all resources

2️⃣ Deny ec2:TerminateInstances if the request does NOT come from:

192.0.2.0/24

203.0.113.0/24

AWS IAM policy evaluation rules state:

Explicit Deny always overrides Allow.

A request must meet all applicable conditions in the policy to be granted.

aws:SourceIp condition applies when IAM actions are invoked via the public AWS APIs.

In this scenario, the administrator is not originating the request from one of the allowed CIDR blocks, so the Deny condition is triggered, overriding the Allow statement.

Therefore, the operation is blocked with:

403 AccessDenied: explicit deny

This matches the behavior described in the AWS IAM Policy Evaluation Logic used in the Security Pillar of the Well-Architected Framework:

Explicit Deny > Allow > Default Deny

IP-based Conditions restrict API calls originating outside approved network ranges

Options A/B/C do not accurately reflect this explicit Deny condition behavior.

Amazon S3 Glacier Flexible Retrieval is designed for long-lived, infrequently accessed data where retrieval times of minutes to hours are acceptable. It offers very low storage cost per GB while still supporting faster retrieval than archival tiers that can take many hours or days.

The requirement states that data is rarely accessed and must be retrievable within 12 hours. Glacier Flexible Retrieval meets this retrieval-time requirement and is more cost-effective per GB than Standard and Infrequent Access storage classes for long-term, rarely accessed data.

S3 Standard, S3 Standard-IA, and S3 One Zone-IA are optimized for more frequent or lower-latency access and have higher storage cost per GB compared to Glacier Flexible Retrieval.

The Requester Pays feature in Amazon S3 allows the bucket owner to configure the bucket so that the requester, rather than the bucket owner, pays for data transfer and request costs. This is ideal for sharing large datasets with the public or with other AWS accounts when you want to minimize your own data transfer expenses.

Reference Extract from AWS Documentation / Study Guide:

"Requester Pays buckets allow you to configure the bucket so that the requester instead of the bucket owner pays the cost of the request and the data download from the bucket."

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Cost Management section.

Edge-optimized API Gateway endpoints utilize the Amazon CloudFront global network to decrease latency for clients globally. This setup ensures that the request is routed to the closest edge location, significantly reducing response time and improving performance for worldwide users.

Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance’s data at rest, the recommended method is to:

Take a snapshot of the unencrypted DB instance.

Create an encrypted copy of the snapshot using AWS KMS. This encrypted snapshot contains the existing data encrypted at rest.

Restore a new DB instance from the encrypted snapshot. This new instance will have encryption at rest enabled.

Additionally, to manage encryption keys securely, companies can use customer managed keys (CMKs) in AWS Key Management Service (KMS). CMKs provide greater control over key management policies, rotation, and usage permissions compared to default AWS managed keys. Using a CMK allows customization of access control and auditability.

Option A is incorrect because you cannot enable encryption directly on a snapshot; you must create an encrypted copy. Option C is invalid because encryption cannot be enabled by modifying an existing instance’s configuration. Option D refers to the default AWS managed key, which is less flexible than customer managed keys.

Key Requirements:

Host the frontend on AWS as a static website.

Protect the application from common web vulnerabilities.

Minimal operational overhead.

Analysis of Options:

Option A:

Hosting the frontend on EC2 with an ALB introduces unnecessary complexity for serving static content.

AWS WAF rules can protect the ALB, but managing EC2 instances adds operational overhead.

Incorrect Approach:High operational complexity for a simple static website.

Option B:

Amazon CloudFront:Acts as a global CDN, reducing latency and protecting against DDoS attacks.

Multiple Origins:Allows static content to be served from S3 while routing API traffic to the on-premises backend.

AWS WAF:Integrates with CloudFront to provide web application protection.

Correct Approach:Offers low operational overhead with optimal security and performance.

Option C:

Using NLB and Network Firewall is unnecessary for a static website. This approach increases cost and complexity without addressing the frontend requirements effectively.

Incorrect Approach:Over-engineered solution.

Option D:

Hosting the frontend on S3 and using API Gateway is a viable option, but managing AWS WAF rules separately for both the S3 bucket and the REST API increases complexity.

Incorrect Approach:Less efficient than using CloudFront with multiple origins.

AWS Solution Architect References:

Amazon CloudFront Overview

AWS WAF with CloudFront

To analyze the performance of the web application with granularity of no more than 2 minutes, enablingdetailed monitoringon EC2 instances is the best solution. By default, CloudWatch provides metrics at a 5-minute interval. Enabling detailed monitoring allows you to collect metrics at 1-minute intervals, which will give you the level of granularity you need to analyze performance during peak traffic.

Amazon CloudWatch metrics can then be used to analyze CPU utilization, memory usage, disk I/O, and network throughput, among other performance-related metrics, at the desired granularity.

Option A: Sending CloudWatch logs to Redshift for analysis is unnecessary and overcomplicated for simple performance analysis, which can be done using CloudWatch metrics alone.

Option C: Fetching EC2 logs via Lambda adds complexity, and CloudWatch metrics already provide the required data for performance analysis.

Option D: Sending logs to S3 and using Redshift for analysis is also more complex than necessary for simple performance monitoring.

AWS References:

Monitoring Amazon EC2 with CloudWatch

Amazon CloudWatch Detailed Monitoring

Amazon Kinesis Data Streams provides a highly scalable and durable service for ingesting real-time streaming data. By decoupling ingestion and processing, Kinesis can handle large spikes in traffic without service disruption. Lambda functions (or other consumers) can then process the data as it arrives, scaling automatically. This pattern avoids 503 errors due to compute saturation and delivers a resilient, serverless, and highly scalable architecture.

Reference Extract from AWS Documentation / Study Guide:

"Kinesis Data Streams provides a scalable and durable real-time data streaming service. Coupling Kinesis with AWS Lambda enables event-driven processing, elasticity, and decoupling between ingestion and processing layers."

Source: AWS Certified Solutions Architect – Official Study Guide, Streaming and Serverless section.

Amazon Neptune: Neptune is a fully managed graph database service that is optimized for storing and querying highly connected data. It supports both property graph and RDF graph models, making it suitable for applications that need to analyze relationships between data entities.

Neptune Streams: Neptune Streams captures changes to the graph and streams these changes to other AWS services. This is useful for applications that need to monitor and respond to changes in real-time, such as providing recommendations based on user interactions and relationships.

Least Operational Overhead: Using Neptune Streams directly with Amazon Neptune ensures that the solution is tightly integrated, reducing the need for additional components and minimizing operational overhead. This integration simplifies the architecture by eliminating the need for a separate service like Kinesis for change processing.

AWS Site-to-Site VPN is a cost-effective way to securely connect your on-premises data center with AWS resources. In this scenario:

Applications in private subnetsrequire access to the API hosted in the on-premises data center.

ASite-to-Site VPN connectionis a secure and cost-efficient option to route traffic between the VPC and on-premises resources.

Transit GatewayandPrivateLinkare not cost-effective for this use case.

NAT Gatewayonly provides internet access for private subnets, which is not suitable for reaching an on-premises resource.

AWS Documentation Reference:

AWS Site-to-Site VPN

CloudFront Signed Cookies:

CloudFront signed cookies allow the company to provide access to premium users while maintaining a single, consistent URL.

This approach is simpler and more scalable than managing presigned URLs for each file.

Incorrect Options Analysis:

Option A: Using EC2 and EBS increases complexity and cost.

Option B: Managing presigned URLs for each file is not scalable.

Option D: CloudFront signed URLs require unique URLs for each file, which does not meet the requirement for a single URL.

For an application requiring TCP communication and high availability:

Network Load Balancer (NLB)is the best choice for load balancing TCP traffic because it is designed for handling high-throughput, low-latency connections.

Auto Scaling groupensures that the application can automatically scale based on demand, adding or removing EC2 instances as needed, which is crucial for handling user growth.

Option C (Application Load Balancer): ALB is primarily for HTTP/HTTPS traffic, not ideal for TCP.

Option D (Manual scaling): Manually adding instances does not provide the automation or scalability required.

Option E (Gateway Load Balancer): GLB is used for third-party virtual appliances, not for direct application load balancing.

AWS References:

Network Load Balancer

Auto Scaling Group

To ensure container images are secure and to notify administrators about vulnerabilities, the solution needs (1) a vulnerability scanning capability for container images and (2) a notification mechanism that alerts when findings occur. Amazon Inspector provides automated security assessments and can scan container images stored in Amazon ECR to identify software vulnerabilities and unintended network exposure patterns, producing findings that can be acted upon. Therefore, D addresses the core requirement of detecting vulnerabilities in container images.

To notify administrators with minimal custom work, AWS Config can help by evaluating resources against desired configurations and integrating with notifications through AWS services (for example, via Amazon SNS using Config rules/conformance packs). Using the AWS Config conformance pack for Amazon ECS helps establish a managed set of compliance checks aligned to ECS-related best practices. While Inspector is the system that detects vulnerabilities, Config can be used to enforce and monitor governance controls around the container environment and can trigger notifications when noncompliance is detected. In exam patterns, pairing an Inspector detection capability with a managed governance/notification framework like Config is a common “two-part” answer.

The other options do not meet the requirement: A (privileged mode) can increase risk rather than improve image security; logging does not equal vulnerability detection. C is unrelated because AWS WAF protects web applications at the edge and does not scan container images for CVEs. E is incorrect because Parameter Store stores configuration data and secrets; it does not encrypt container images (ECR encryption at rest is handled by AWS-managed mechanisms and KMS integration, not Parameter Store).

So D provides scanning and B supports managed compliance/notification controls with low operational overhead.

EKS lets teams “run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane,” and with AWS Fargate, you “run Kubernetes pods without managing servers,” reducing operational overhead for worker nodes. For the data layer, Amazon DocumentDB (with MongoDB compatibility) “supports the MongoDB API and drivers,” allowing existing MongoDB applications to work without application changes, while the service “automatically scales storage,” provides “high availability across multiple Availability Zones,” automatic backups, and patching. Because the company cannot change code or deployment methods, keeping Kubernetes (EKS) and the MongoDB API (DocumentDB compatibility) is essential. Options A and C either change the orchestrator (to ECS) or the database API (to DynamoDB), which would require code/deployment changes. Option A also leaves you managing EC2 nodes and a self-managed MongoDB on EC2, increasing ops burden. Therefore, EKS on Fargate + Amazon DocumentDB minimizes operations and preserves compatibility.

AWS Step Functions provides a low-code, fully managed workflow service with a visual interface to orchestrate AWS Glue jobs in sequence. Step Functions integrates natively with AWS Glue and can be triggered by Amazon EventBridge based on events or schedules.

AWS Documentation Extract:

“AWS Step Functions makes it easy to coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Step Functions provides visual workflows and integrates with AWS Glue for ETL orchestration.”

(Source: AWS Step Functions documentation)

A: Manual scripting and dashboards do not provide a low-code or integrated visual workflow.

C: QuickSight is for BI, not workflow visualization.

D: ECS adds unnecessary complexity.

The best solution is to useAmazon SQSto receive updates from the mobile app and process them with anAWS Lambdafunction. The Lambda function can rewrite the message body as necessary for each shipper and then publish the updates to the appropriateSNS topicfor distribution. Thissetup ensures that each shipper receives only the relevant data and minimizes operational overhead by using managed services.

Option A (SNS filter policy): SNS does not have the capability to rewrite message bodies before forwarding.

Option C (Second SNS topic): Using an additional SNS topic adds unnecessary complexity without solving the message rewriting requirement.

Option D (EventBridge Pipes): EventBridge Pipes is more complex than necessary for this use case, and Lambda can handle the logic more efficiently.

AWS References:

Amazon SQS

Amazon SNS with Lambda

For the relational database tier, Amazon RDS Multi-AZ provides high availability with minimal manual intervention. In Multi-AZ mode, RDS maintains a synchronous standby in a different Availability Zone and provides automatic failover during certain failure scenarios. This reduces operational burden because the service handles replication, health monitoring, and failover orchestration.

For the container-based application tier, Amazon ECS with the Fargate launch type minimizes operational overhead because it removes the need to provision, patch, and scale the underlying EC2 instances that host containers. With Fargate, AWS manages the compute infrastructure, and the team focuses on task definitions, scaling policies, and application configuration. This supports a highly available, load-balanced architecture because ECS services can run tasks across multiple Availability Zones behind an Application Load Balancer, and scaling is managed via ECS Service Auto Scaling.

Option B describes read replicas, which are primarily used for scaling reads and, depending on configuration, may not provide the same automated failover characteristics as Multi-AZ for high availability. Read replicas are not a direct substitute for Multi-AZ HA. Option C (self-managed Docker cluster on EC2) is operationally heavy: you must manage node capacity, patching, cluster lifecycle, and scheduling. Option E (ECS on EC2) is a valid container platform but still requires managing EC2 instances, AMIs, and scaling/patching, which increases manual intervention compared to Fargate.

Therefore, combining RDS Multi-AZ (A) for database resilience and ECS Fargate (D) for serverless container operations meets the HA requirement with the least manual effort.

A Network Load Balancer operates at Layer 4 (TCP/UDP/TLS) and is optimized for high performance and static IP use cases. While NLB target groups can perform health checks, they are typically oriented around basic reachability and do not provide the same application-layer (Layer 7) visibility as an Application Load Balancer (ALB). The problem statement says the NLB is “not detecting HTTP errors,” which indicates the health signal needs to be based on an HTTP endpoint that can reflect application correctness (for example, returning specific HTTP status codes).

Replacing the NLB with an ALB enables true HTTP/HTTPS health checks against a URL path, including interpretation of HTTP response codes. This is the cleanest managed approach to detect application-layer failure modes that still allow TCP connections but produce bad HTTP responses. Once the ALB detects targets as unhealthy, the target group health status can be used by an Auto Scaling group to take action. With appropriate health check configuration (and, commonly, using ELB health checks as a signal), Auto Scaling can replace unhealthy instances automatically, improving availability without custom scripts.

Option A is misleading: NLB does not provide the same HTTP-aware request routing and rich L7 features; even if an NLB health check is configured, it does not address the broader need for application-layer detection and remediation as directly as ALB. Option B violates the “no custom scripts” requirement. Option D reacts to UnhealthyHostCount, but if the NLB isn’t marking hosts unhealthy for HTTP error cases, the metric won’t reliably trigger replacement; it also still depends on the NLB’s limited visibility into HTTP failures.

Therefore, C best meets the requirement by shifting to ALB for application-layer health checks and using Auto Scaling to replace unhealthy instances automatically.

This solution is the most cost-effective and efficient way to break down costs per application.

Tagging Resources: By tagging all AWS resources with a specific key (e.g., "cost") and a value representing the application's name, you can easily identify and categorize costs associated with each application. This tagging strategy allows for granular tracking of costs within AWS.

Activating Cost Allocation Tags: Once tags are applied to resources, you need to activate cost allocation tags in the AWS Billing and Cost Management console. This ensures that the costs associated with each tag are included in your billing reports and can be used for cost analysis.

AWS Cost Explorer: Cost Explorer is a powerful tool that allows you to visualize, understand, and manage your AWS costs and usage over time. You can filter and group your cost data by the tags you’ve applied to resources, enabling you to easily see the cost breakdown for each application. Cost Explorer also supports generating regular reports, which can be scheduled and emailed to stakeholders.

Why Not Other Options?:

Option A (AWS Budgets): AWS Budgets is more focused on setting cost and usage thresholds and monitoring them, rather than providing detailed cost breakdowns by application.

Option B (Load Cost and Usage Reports into RDS): This approach is less cost-effective and involves more operational overhead, as it requires setting up and maintaining an RDS instance and running SQL queries.

Option D (AWS Billing and Cost Management Console): While you can download bills, this method is more manual and less dynamic compared to using Cost Explorer with activated tags.

AWS References:

AWS Tagging Strategies- Overview of how to use tagging to organize and track AWS resources.

AWS Cost Explorer- Details on how to use Cost Explorer to analyze costs.

Amazon RDS Blue/Green Deployments provide a safe and straightforward way to make database changes with minimal downtime and risk. Blue/Green deployments create an exact copy ("green") of your production environment ("blue") where you can make schema changes and run tests. After validation, you can promote the green environment to production with a single click or API call, achieving near-zero downtime and maximum availability. This is the AWS-recommended method for deploying major database changes in a way that minimizes impact to users and maximizes uptime.

Reference Extract from AWS Documentation / Study Guide:

"Amazon RDS Blue/Green Deployments enable you to make changes to your database environment safely. You can perform schema updates and feature testing in a fully managed staging environment and switch over with minimal downtime, ensuring the highest availability."

Source: AWS Certified Solutions Architect – Official Study Guide, Database and Migration section; Amazon RDS Blue/Green Deployments Documentation.

AWS PrivateLink enables private connectivity between VPCs and supported AWS or third-party services without exposing traffic to the public internet. It ensures secure and private communications, making it ideal for connecting internal services to SaaS applications hosted in AWS.

A warm pool is an Auto Scaling feature that keeps instances in a pre-initialized state so they can quickly join the active group when scaling is required. This reduces the time needed for instance bootstrapping and makes new capacity available almost instantly. Option A only increases capacity limits but does not address slow boot times. Option C merely extends grace periods without solving the delay. Option D forces overprovisioning, which is wasteful and not aligned with cost optimization. Using a warm pool (B) directly addresses the problem by reducing response time to scaling events.

This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.

AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS.

Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.

Why Not Other Options?:

Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.

Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.

Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption.

AWS References:

AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.

Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

Option Ais the simplest solution, using DynamoDB Streams and Lambda for real-time ingestion into S3.

Options B, C, and Dadd unnecessary complexity with Data Firehose or Kinesis.

The company wants to reduce end-to-end load time for its global customer base.AWS Global Acceleratorprovides a network optimization service that reduces latency by routing traffic to the nearest AWS edge locations, improving the user experience for globally distributed customers.

AWS Global Accelerator:

Global Acceleratorimproves the performance of your applications by routing traffic through AWS’s global network infrastructure. This reduces the number of hops and latency compared to using the public internet.

By creating astandard acceleratorand configuring the existing NLBs as target endpoints, Global Accelerator ensures that traffic from users around the world is routed to the nearest AWS edge location and then through optimized paths to the NLBs in each region. This significantly improves end-to-end load time for global customers.

Why Not the Other Options?:

Option A (ALBs instead of NLBs): ALBs are designed for HTTP/HTTPS traffic and provide layer 7 features, but they wouldn’t solve the latency issue for a global customer base. The key problem here is latency, and Global Accelerator is specifically designed to address that.

Option B (Route 53 weighted routing): Route 53 can route traffic to different regions, but it doesn’t optimize network performance. It simply balances traffic between endpoints without improving latency.

Option C (Additional NLBs in more regions): This could potentially improve latency but would require setting up infrastructure in multiple regions. Global Accelerator is a simpler and more efficient solution that leverages AWS’s existing global network.

AWS References:

AWS Global Accelerator

By usingAWS Global Acceleratorwith the existing NLBs, the company can optimize global traffic routing and improve the customer experience by minimizing latency. Therefore,Option Dis the correct answer.

Amazon RDS for MySQL supports read replicas that offload read-intensive workloads such as reporting, leaving the primary instance free for write operations.

“You can use Amazon RDS read replicas to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.”

— Working with Read Replicas

This is the recommended approach for minimizing performance impact on the primary DB instance.

AWS X-Ray is the AWS service designed for distributed tracing, giving end-to-end visibility into how requests flow through microservices, APIs, and serverless components. It provides service maps, latency breakdowns, and performance insight per service, which is exactly what is required.

To use X-Ray effectively, each application stack must be instrumented. For infrastructure deployed through AWS CloudFormation, best practice is to enable and configure X-Ray in the CloudFormation templates (for Lambda, API Gateway, ECS, etc.). That way, all teams and stacks have consistent tracing enabled as part of their IaC.

Control Tower (Option B) cannot “turn on” X-Ray tracing inside applications; it only helps with account setup and guardrails.

CloudTrail (Option A) is for audit logging of API calls, not performance tracing.

CloudWatch (Option C) provides metrics and logs, but not request-level distributed tracing across multiple services.

Why Option D is Correct:

IAM Roles with Instance Profiles: Allow applications to access AWS services securely without hardcoding long-term access keys.

Short-Term Credentials: IAM roles issue short-term credentials dynamically managed by AWS.

Why Other Options Are Not Ideal:

Option A and B: Embedding or retrieving long-term access keys introduces security risks and operational overhead.

Option C: Combining IAM roles with Parameter Store adds unnecessary complexity.

AWS References:

IAM Roles and Instance Profiles:AWS Documentation - IAM Roles

Creating aVPC endpointfor S3 and configuring abucket policyto allow access only from the endpoint ensures that only EC2 instances within the VPC can access the S3 bucket. This solutionimproves security by restricting access at the network level without the need for public internet access.

Option A (IAM policies): IAM policies alone cannot restrict access based on the network location.

Option B and D (Encryption): Encryption secures data at rest but does not restrict network access to the bucket.

AWS References:

Amazon S3 VPC Endpoints

Amazon S3 Storage Lens:

S3 Storage Lens provides organization-wide visibility into object storage usage and activity trends.

It can generate metrics and insights about your S3 buckets, including versioning status.

Configuration:

Enable S3 Storage Lens at the organization level.

Configure the dashboard to include the versioning status metric.

Identify Non-Versioned Buckets:

Use the S3 Storage Lens dashboard to filter and identify buckets that do not have versioning enabled.

Storage Lens provides detailed insights and reports which can be used to enforce compliance and manage storage effectively.

Operational Efficiency: Using S3 Storage Lens provides a centralized, easy-to-use interface for monitoring bucket configurations across multiple Regions and accounts, reducing the need for custom scripts or manual checks.

Amazon Aurora Serverless is a cost-effective, on-demand, autoscaling configuration for Amazon Aurora. It automatically adjusts the database's capacity based on the current demand, which is ideal for workloads with variable and unpredictable usage patterns. Since the application is expected to be read-heavy with occasional writes and steady growth, Aurora Serverless can provide the necessary performance without requiring the management of database instances.

Cost-Optimization: Aurora Serverless only charges for the database capacity you use, making it a more cost-effective solution compared to always running provisioned database instances, especially for workloads with fluctuating demand.

Scalability: It automatically scales database capacity up or down based on actual usage, ensuring that you always have the right amount of resources available.

Performance: Aurora Serverless is built on the same underlying storage as Amazon Aurora, providing high performance and availability.

Why Not Other Options?:

Option A (RDS with Provisioned IOPS SSD): While Provisioned IOPS SSD ensures consistent performance, it is generally more expensive and less flexible compared to the autoscaling nature of Aurora Serverless.

Option C (DynamoDB with On-Demand Capacity): DynamoDB is a NoSQL database and may not be the best fit for applications requiring relational database features.

Option D (RDS with Magnetic Storage and Read Replicas): Magnetic storage is outdated and generally slower. While read replicas help with read-heavy workloads, the overall performance might not be optimal, and magnetic storage doesn’t provide the necessary performance.

AWS References:

Amazon Aurora Serverless- Information on how Aurora Serverless works and its use cases.

Amazon Aurora Pricing- Details on the cost-effectiveness of Aurora Serverless.

Amazon FSx for NetApp ONTAP fully supports native NetApp SnapMirror replication, making it the most efficient and reliable option for migrating NetApp data from on-premises to AWS.

From AWS Documentation:

“You can use SnapMirror to replicate data from your on-premises NetApp systems to FSx for ONTAP for seamless, block-level, incremental transfers. This provides a highly efficient and performant method for migration, especially for large datasets.”

(Source: Amazon FSx for NetApp ONTAP – Migration Guide)

Why Option C is correct:

SnapMirror offers block-level replication, making it highly efficient for millions of small files.

It supports NFS and SMB file shares, preserving directory structures and permissions.

Reduces cutover time and allows for incremental syncs.

Uses the existing 10 Gbps network for fast transfers.

Why the other options are incorrect:

Option A (DataSync): Suitable for many file-based migrations but less efficient for very large datasets with millions of small files compared to SnapMirror.

Option B (Storage Gateway): Volume Gateway is not used for full-scale file migrations; it's for hybrid cloud access.

Option D (Snowball Edge): Useful for offline migrations, but online SnapMirror is more efficient and avoids shipping delays.

This solution directly addresses the scalability and high availability requirements with minimal downtime.

Additional Reader Instances: Adding more reader instances to the Aurora cluster will distribute the read load, improving the performance of the application under heavy read traffic. Aurora reader instances automatically replicate the data from the writer instance, enabling you to scale out read operations.

Amazon RDS Proxy: RDS Proxy improves database availability by managing database connections more efficiently and providing a connection pool. This reduces the overhead on the Aurora cluster during peak loads, further enhancing performance and availability without requiring changes to the application code.

Why Not Other Options?:

Option A (EventBridge and Lambda): This doesn’t directly address the performance and availability issues. Logging state changes and adding reader nodes on failure events doesn’t provide proactive scalability.

Option B (Zero-Downtime Restart and Activity Streams): Zero-Downtime Restart (ZDR) is useful for minimizing downtime during maintenance but doesn’t directly improve scalability. Database Activity Streams are more for security monitoring than for performance enhancement.

Option D (ElastiCache for Redis): While adding a caching layer can help with read performance, it introduces complexity and may not be necessary if additional reader instances can handle the load.

AWS References:

Amazon Aurora Scaling- Information on scaling Aurora clusters with reader instances.

Amazon RDS Proxy- Details on how RDS Proxy can improve database performance and availability.

Amazon S3 Express One Zone provides single-digit millisecond latency and high throughput, making it ideal for ML workloads that require multiple compute nodes and fast access. It is also more cost-effective than traditional file or block storage for temporary, high-speed needs.

AWS Site-to-Site VPN: This provides a secure and encrypted connection between an on-premises environment and AWS. It is a cost-effective solution suitable for low bandwidth and small traffic needs.

Quick Setup:

Site-to-Site VPN can be quickly set up by configuring a virtual private gateway on the AWS side and a customer gateway on the on-premises side.

It uses standard IPsec protocol to establish the VPN tunnel.

Cost-Effectiveness: Compared to AWS Direct Connect, which requires dedicated physical connections and higher setup costs, a Site-to-Site VPN is less expensive and easier to implement for smaller traffic requirements.

For Amazon RDS for PostgreSQL, AWS provides IAM database authentication. With this feature, applications do not use stored long-term usernames and passwords. Instead, they use temporary authentication tokens that are generated by AWS and validated by the RDS database.

The AWS best practice pattern is:

Attach an IAM role to the EC2 instances (instance profile).

Grant that role the necessary permissions (for example, rds-db:connect) to the specific RDS database user.

The application running on the EC2 instance uses the role’s temporary credentials to call the RDS token-generation API and obtain a short-lived authentication token.

The application then uses this token as the password when connecting to RDS for PostgreSQL.

This removes the need to store long-term credentials in the application or on the instance and uses IAM roles with temporary credentials, aligning with the security requirement.

Option A still relies on stored credentials (even if in Secrets Manager), which are long-lived and rotated but not token-based per-connection IAM authentication.

Option B uses static passwords and IP-based access, which does not meet the “no long-term credentials” requirement.

Option C stores long-term IAM user keys on the instances, which is explicitly against best practices and does not directly integrate with RDS authentication.

For global low latency, AWS recommends using Amazon CloudFront as a content delivery network in front of both static and dynamic origins when possible.

Static content on Amazon S3 + CloudFront is the standard cost-effective pattern: S3 for low-cost durable storage, CloudFront for global edge caching.

Dynamic content exposed via Amazon API Gateway HTTP API can also be used as an origin for CloudFront, giving global users reduced latency and the ability to cache appropriate responses (when safe).

This pattern minimizes cost by:

Using S3 instead of EC2 for static hosting.

Using HTTP APIs (cheaper than REST APIs) for dynamic content.

Offloading a significant portion of requests to CloudFront cache.

Why the other options are not correct:

B: Static content is not fronted by CloudFront, so global latency is higher.

C: EC2-based web servers for the core web tier add more operational and cost overhead than needed for a mostly static + API pattern.

D: Only the static content uses CloudFront; the dynamic API still lacks a latency-optimized global entry point.

ECS with Fargate: Allows containerized workloads to scale rapidly without managing underlying servers, handling unpredictable growth effectively.

RDS for Relational Data: Manages large relational datasets efficiently while supporting high availability.

SQS for Decoupling: Ensures message processing occurs in a specific order, decoupling application components and allowing independent evolution.

AWS ECS with Fargate Documentation,AWS SQS Documentation

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. By using Amazon ECS with the AWS Fargate launch type, you can run containers without managing servers or clusters. This combination reduces operational overhead and provides scalability.

A. Aurora MySQL:Handles OLTP workloads efficiently with built-in replication and auto-scaling capabilities.

B. EC2 with MySQL:Requires heavy manual maintenance and does not scale seamlessly.

C. RDS for MySQL:Limited in auto-scaling compared to Aurora.

D. Redshift:Primarily for OLAP, not suitable for OLTP workloads.

Lambda supports mounting an Amazon EFS file system inside your function to store larger dependencies beyond the 250 MB layer quota.

EFS automatically encrypts data in transit using TLS.

“You can configure your Lambda function to mount an Amazon EFS file system, enabling your function to access large amounts of data or large dependencies.”

“Amazon EFS automatically encrypts all data at rest and in transit.”

— Lambda with Amazon EFS

This is the least operational overhead approach.

Why Option C is Correct:

NAT Gateway: Allows private subnets to access the internet for outbound requests while preventing inbound connections.

High Availability: Deploying NAT gateways in both AZs ensures fault tolerance.

Shared Route Table: Simplifies routing configuration for private subnets.

Why Other Options Are Not Ideal:

Option A: Creating separate route tables for each subnet adds unnecessary complexity.

Option B: Internet gateways allow inbound access, violating the requirement to block public IPv4 access.

Option D: Egress-only internet gateways are designed for IPv6, not IPv4.

AWS References:

Amazon VPC NAT Gateway:AWS Documentation - NAT Gateway

To process each form exactly once and ensure no data is lost, using an Amazon SQS FIFO (First-In-First-Out) queue is the most appropriate solution. SQS FIFO queues guarantee that messages are processed in the exact order they are sent and ensure that each message is processed exactly once. This ensures data consistency and reliability, both of which are crucial for processing user-submitted forms without data loss.

SQS acts as a buffer between the web application server and the worker tier, ensuring that submitted forms are stored reliably and forwarded to the worker tier for processing. This also decouples the application, improving its scalability and resilience.

Option B (API Gateway): API Gateway is better suited for API management rather than acting as a message queue for form processing.

Option C (SQS Standard Queue): While SQS Standard queues offer high throughput, they do not guarantee exactly-once processing or the strict ordering needed for this use case.

Option D (Step Functions): Step Functions are useful for orchestrating workflows but add unnecessary complexity for simple message queuing and form processing.

AWS References:

Amazon SQS FIFO Queues

Decoupling Application Tiers Using Amazon SQS

To track costs associated with different teams within a single AWS account, the company should implement user-defined cost allocation tags.

Tagging Resources with CostCenter: Assign the CostCenter tag to all resources, specifying the appropriate value for each team. This practice enables the organization to categorize and track AWS costs effectively.

Activating the CostCenter Tag: After tagging resources, activate the CostCenter tag in the AWS Billing and Cost Management console. Activation is necessary for the tags to appear in cost allocation reports and AWS Cost Explorer.

By following these steps, the company can generate detailed billing reports that break down costs by team, facilitating better cost management and accountability.

The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.

Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.

Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.

Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.

AWS References:

Amazon S3 for Media Storage

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

AWS advises using serverless event-driven processing to minimize operational burden and scale automatically with demand. Amazon SQS can be directly configured as an event source for AWS Lambda. With this setup, Lambda polls the queue, invokes the function, and processes messages without requiring the customer to manage infrastructure. Scaling is automatic, based on the volume of messages in the queue. Option A (increasing instance size) still leaves scaling and management challenges. Option B reduces cost when idle but does not address scaling. Option D requires manual triggering and does not meet continuous processing requirements. Migrating the script to Lambda (C) fully eliminates the need for instance management, providing scalability, reliability, and reduced operational overhead.

Encryption at Rest: AWS Key Management Service (AWS KMS) provides centralized control over the cryptographic keys used to protect data. By using AWS KMS with Amazon S3, you can manage encryption keys and define policies to control access to them.

Encryption in Transit: By enforcing the aws:SecureTransport condition in the S3 bucket policy, you ensure that all data is transmitted over HTTPS, protecting data in transit.

Access Control: IAM policies allow you to define fine-grained permissions for users and roles, ensuring that only authorized entities can access the customer records.

Monitoring: AWS CloudTrail provides a record of actions taken by a user, role, or AWS service in Amazon S3, enabling you to monitor access to the records.

AWS Compute Optimizerprovides detailed recommendations for optimizingAmazon EBS volumes, including insights into underutilized volumes, inefficient configurations, and potential cost savings. It analyzes usage patterns and provides recommendations based on historical data, making it the ideal tool for this use case.

Option A (Amazon Inspector): Amazon Inspector is for security assessments, not for cost optimization.

Option B (Systems Manager): Systems Manager does not specifically provide EBS optimization recommendations.

Option C (CloudWatch): CloudWatch metrics help monitor usage but do not offer optimization recommendations like Compute Optimizer.

AWS References:

AWS Compute Optimizer

Amazon Elastic File System (EFS) is the ideal solution for migrating legacy applications that require NFS (Network File System) communication. EFS provides fully managed, scalable NFS storage in the cloud, and it supports the standard NFS protocols, allowing the legacy application to continue using NFS without modification after migration to AWS.

Key AWS features:

NFS Support: EFS natively supports the NFSv4 protocol, which makes it the best solution for workloads that rely on NFS communication.

Scalability and Availability: EFS automatically scales as application demands grow, making it a highly available and reliable storage solution.

AWS Documentation: According to AWS’s best practices for file storage, EFS is recommended for any workloads requiring NFS support in a cloud environment​​.

AWS Lambda SnapStart is designed to improve the cold start performance of Java Lambda functions by initializing the function, taking a snapshot of the execution environment, and then reusing that snapshot for subsequent invocations. However, some code (such as code that generates unique IDs or session-specific data) should run during each invocation, not during the snapshot process. By using a pre-snapshot hook and moving the unique ID generation into the handler, you ensure that non-deterministic or per-invocation code is executed correctly, while the rest of the initialization benefits from SnapStart. This delivers the lowest latency and cost, as you do not need to pay for provisioned concurrency.

AWS Documentation Extract:

"Lambda SnapStart is ideal for Java functions with long cold starts due to heavy initialization. Move non-deterministic code such as unique ID generation to the handler, and use pre-snapshot hooks to customize what gets snapshotted. SnapStart works only for published versions, not $LATEST."

(Source: AWS Lambda documentation, Using SnapStart for Java Functions)

Other options:

A: SnapStart is not supported for the $LATEST version; must be a published version.

B & C: Provisioned concurrency removes cold starts but is more expensive than SnapStart for most workloads.

C: You must use SnapStart on published versions, but provisioned concurrency is not required for SnapStart and adds cost.

AWS Transfer Family is a fully managed service that provides SFTP, FTPS, and FTP access directly to Amazon S3. It allows organizations to support legacy data transfer protocols without managing infrastructure. This approach gives the vendors a familiar SFTP interface, with files landing directly in S3, and requires minimal operational effort compared to managing EC2 servers or using gateways.

Reference Extract from AWS Documentation / Study Guide:

"AWS Transfer Family enables secure transfer of files directly into and out of Amazon S3 using SFTP, FTPS, and FTP, and is fully managed by AWS, significantly reducing operational overhead."

Source: AWS Certified Solutions Architect – Official Study Guide, Data Migration and Transfer section.

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

AWS Documentation Extract:

"A gateway VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring a NAT gateway or internet gateway."

(Source: Amazon VPC documentation, Gateway Endpoints)

A: NAT instances still incur operational overhead and costs.

B: Internet gateway exposes resources and does not provide private access.

D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

AWS Backup offers centralized management, scheduling, and retention of backups for supported AWS services including Amazon DynamoDB. It enables compliance retention with minimal management.

From AWS Documentation:

“AWS Backup provides centralized backup management across AWS services, including DynamoDB. You can define backup plans, schedules, and retention policies to meet business or regulatory requirements.”

(Source: AWS Backup Developer Guide – Backing up DynamoDB Tables)

Why B is correct:

Automatically manages backup scheduling and retention (7 years).

Centralized compliance monitoring via AWS Backup Audit Manager.

Fully managed and requires no custom automation.

Why others are incorrect:

A: PITR is for continuous restore within 35 days, not long-term compliance retention.

C & D: Manual or Lambda-based backups require custom management and increase operational complexity.

AWS documentation states that for API Gateway REST APIs, AWS WAF must be deployed in the same Region to apply web access control lists. WAF geographic match rules can block requests from non-US Regions. Deploying the WAF and API Gateway in the same Region ensures minimal latency because the traffic does not traverse Regions.

Options B and C violate the requirement that WAF and API Gateway must be in the same Region. Option D uses HTTP API, which supports WAF only indirectly via regional ALBs, not directly as REST API does.

=====================================================

Dead-letter queues (DLQs) with Amazon SQS allow Lambda functions to offload failed events for later inspection or retry. Using retry logic with exponential backoff ensures resilience and compliance with best practices for fault-tolerant serverless architectures. This guarantees no data is lost due to transient errors.

Detailed Explanation:

A. RDS:Suitable for relational databases but does not provide native support for data lakes or row-level access.

B. Redshift:Primarily for analytics, not designed for large-scale data lake governance.

C. S3 + Lake Formation:Provides native support for data lakes with granular access control, including row-level permissions.

D. Glue Catalog + DataBrew:Focused on data preparation and metadata management, not row-level access control.

IAM Roles for Service Accounts (IRSA): IRSA allows you to associate an IAM role with a Kubernetes service account. This enables pods to assume the IAM role and access AWS resources securely.

Annotating Service Accounts: By annotating Kubernetes service accounts with the ARN of the IAM role, you establish the association required for IRSA.

OIDC Identity Provider: EKS clusters use OpenID Connect (OIDC) to authenticate service accounts. Setting up a trust relationship between the IAM role and the OIDC provider allows the Kubernetes service account to assume the IAM role.

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed "green" environment with the upgraded database version. You can test the new version in the green environment while the "blue" environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

AWS Fargate with Amazon ECS is a serverless, fully managed compute engine for containers. Fargate eliminates the need to provision or manage servers, and is ideal for periodic, long-running batch jobs. You only pay for the resources consumed during job execution, making it cost-effective for jobs that run infrequently. Lambda is not suitable because the maximum execution time is 15 minutes, but the job can take up to 2 hours.

AWS Documentation Extract:

“AWS Fargate lets you run containers without managing servers or clusters. Fargate is ideal for batch jobs, event-driven processing, and scheduled tasks that require hours of compute.”

(Source: AWS Fargate documentation)

A: Reserved Instances are cost-inefficient for infrequent workloads and require server management.

B: Lambda has a hard limit of 15 minutes per execution, insufficient for this job.

D: ECS on EC2 requires you to manage and provision EC2 instances, increasing cost and management overhead.

Amazon RDS Proxy helps manage and pool database connections from serverless compute like AWS Lambda, significantly reducing the stress on the database during unpredictable traffic surges. It improves scalability and resiliency by efficiently managing connections, protecting the database from being overwhelmed, and enabling failover handling.

Option A is the most cost-effective and operationally efficient approach to handling unpredictable surges and improving resilience without requiring major application changes.

Option B involves a migration to DynamoDB, which is a significant architectural change and costlier initially. Option C is manual connection cleanup, insufficient for unpredictable surges. Option D increases resources but does not solve connection storm problems efficiently and is more costly.

Amazon EFS provides a fully managed, highly available, and shared file system that can be mounted by instances across multiple Availability Zones. This ensures consistency of files between EC2 instances and avoids replication issues. EBS volumes, in contrast, are AZ-scoped and not designed for multi-instance sharing. Options A and B rely on custom replication or manual file handling, which increases operational overhead and risks inconsistencies. Option D does not solve the shared access and consistency requirement. By migrating storage to EFS, both EC2 instances will read and write to the same storage system, ensuring that users always access the latest files without 404 errors.

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.

AWS documentation states that workloads running 24/7 should use Reserved Instances or Savings Plans for the lowest cost. Therefore, the frontend nodes, which always run, should use Reserved Instances.

The backend nodes process asynchronous, restartable jobs, which makes them ideal for EC2 Spot Instances, the most cost-effective compute option for interruption-tolerant workloads.

Fargate (Options A and D) is significantly more expensive for large compute usage. Spot Instances cannot be used for critical frontend nodes (Option C).

=====================================================

Amazon S3 Intelligent-Tiering: This storage class is designed to optimize costs by automatically moving data between two access tiers (frequent and infrequent) when access patterns change. It provides cost savings without performance impact or operational overhead.

S3 Lifecycle Rules: By creating an S3 Lifecycle rule, the company can automatically transition objects to the Intelligent-Tiering storage class. This eliminates the need for manual intervention and ensures that objects are moved to the most cost-effective storage tier based on their access patterns.

Operational Efficiency: Intelligent-Tiering requires no additional management and delivers immediate availability for frequently accessed objects. This makes it the most operationally efficient solution for the given requirements.

A. Mutual TLS:Provides secure communication but does not integrate with AWS credential exchange.

B. AWS Signature v4:Requires direct integration with AWS and is less secure for external systems.

C. Kerberos:Not natively supported for AWS API authentication.

D. IAM Roles Anywhere:Enables AWS API access using X.509 certificates without long-term credentials.

For bursty and seasonal workloads, AWS recommends serverless architectures using Amazon API Gateway + AWS Lambda:

API Gateway exposes a fully managed, scalable API endpoint.

Lambda provides automatic scaling based on request volume, with no need to provision or manage servers.

This is ideal for workloads with variable or seasonal demand, such as end-of-year tax computation bursts.

This combination minimizes operational overhead (no OS patching, no capacity planning) while scaling seamlessly to meet peak demand.

Options A, C, and D rely on EC2 instances. They require capacity planning, scaling configuration, and ongoing management. They do not scale as effortlessly as Lambda for unpredictable or highly seasonal workloads.

The SELECT INTO OUTFILE S3 feature allows you to export Amazon Aurora MySQL data directly to Amazon S3 with minimal operational overhead. This method is efficient and cost-effective for archiving historical data.

You can configure S3 Lifecycle rules to transition the exported data to lower-cost storage (e.g., S3 Glacier or S3 Standard-IA) and eventually delete it after 5 years.

No need for additional ETL tools like Glue or DataBrew unless complex transformations are required.

Amazon Kinesis Data Streams is designed for low-latency ingestion of streaming data. Combined with Amazon Managed Service for Apache Flink, telemetry can be processed and aggregated in near real time. Processed metrics can be sent to Amazon CloudWatch, which natively supports creating dashboards, metrics visualization, and alarms. Firehose (B) is primarily for batch ingestion and delivery, not real-time analytics. EMR with Athena (C) introduces more complexity and is better for large-scale offline analytics. DynamoDB Streams (D) is not a fit because telemetry data is not stored in DynamoDB. Therefore, option A provides the most suitable and real-time analytics pipeline for telemetry data.

S3 Intelligent-Tiering is designed for data with unknown or changing access patterns. It automatically moves objects between frequent and infrequent access tiers as needed, with no retrieval fees for accessing data in any tier, and no performance impact. Minimal management overhead is required because AWS manages all transitions automatically. This class is cost-optimized and meets all requirements listed.

AWS Documentation Extract:

"S3 Intelligent-Tiering is the only storage class that automatically moves data between frequent and infrequent access tiers when access patterns change, with no retrieval charges and no impact on performance. It is designed to optimize costs automatically when data access patterns are unpredictable."

(Source: Amazon S3 documentation, Intelligent-Tiering storage class)

Other options:

B: Storage class analysis only provides recommendations, not actual storage tiering.

C & D: S3 Standard-IA and S3 One Zone-IA both have retrieval fees and may impact retrieval time and data durability.

Explanation (AWS Docs):

Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.

“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”

— Protecting Data Using Server-Side Encryption

Why not D?

Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.

When using an SQS queue as an event source for AWS Lambda, the visibility timeout of the SQS queue plays a critical role in preventing duplicate message processing.

"If your Lambda function doesn't process the message and delete it from the queue within the visibility timeout period, the message becomes visible again and can be processed again by the same or another function instance."

— AWS Lambda with SQS

In this scenario, the third-party API may take up to 60 seconds to respond. Since the Lambda function is configured with a 65-second timeout, the visibility timeout of the queue must be greater than or equal to the maximum function execution time to avoid the same message being reprocessed.

Incorrect Options:

A: Memory allocation doesn’t impact duplicate message handling.

B: Timeout is already sufficient; increasing it further does not solve the core issue.

C: Delivery delay controls initial delivery delay, not reprocessing logic.

AWS Budgets allows you to set custom cost and usage budgets. When actual or forecasted usage exceeds the threshold, AWS Budgets can automatically send alerts to an Amazon SNS topic. You can use AWS Cost Explorer in parallel for visual tracking of spending. This solution requires no code and has minimal operational overhead.

This solution usesCloudFrontto serve the website securely over HTTPS usingAWS Certificate Manager (ACM)for SSL certificates.Origin Access Control (OAC)ensures that only CloudFront can access the S3 bucket directly.AWS WAFwith an IP set rule restricts access to the website, allowing only the on-premises IP address.Route 53is used to create an alias record pointing to the CloudFront distribution. This setup ensures secure, private access to the website with low administrative overhead.

Option A and B: S3 bucket policies and access points do not provide HTTPS support, nor do they offer the same level of security as CloudFront with WAF.

Option D: Signed URLs are more suitable for temporary, expiring access rather than a permanent solution for on-premises employees.

AWS References:

Amazon CloudFront with Origin Access Control

Amazon Transcribe supports automatic speech recognition (ASR) with speaker diarization (i.e., multiple speaker identification). The transcripts can be stored in Amazon S3 and queried using Amazon Athena, which provides a serverless, pay-as-you-go interactive querying model.

Use SQS FIFO to durably persist orders, guarantee order processing semantics, and decouple producers/consumers. FIFO queues provide “exactly-once processing” with message deduplication and “preserve message order.” Visibility timeouts and retries ensure messages are “processed eventually” without being lost; failed messages go to a DLQ for later reprocessing. This pattern aligns with Well-Architected reliability guidance to “queue work to protect against overload and failures” and to ensure “durable, idempotent processing” with retry and backoff. ALB/RDS Proxy/read replicas (A, B) improve availability/connection management but do not guarantee durable handoff or exactly-once processing. SNS (D) is pub/sub and does not provide FIFO semantics in this option, nor a DLQ per subscription for exactly-once. Therefore, frontends write orders to an SQS FIFO queue; backend workers in an Auto Scaling group consume, process idempotently, and use a DLQ for poison messages to meet “no lost orders,” “eventual processing,” and “exactly-once” requirements.

AWS Shield Advanced provides:

Advanced DDoS detection and mitigation

24/7 access to the AWS DDoS Response Team (DRT)

Real-time metrics and alerts via CloudWatch

Integrated with CloudFront, ALB, Route 53, and Global Accelerator

“Shield Advanced provides enhanced detection and mitigation for more sophisticated DDoS attacks and gives you access to the AWS DDoS Response Team (DRT).”

— AWS Shield Advanced Overview

Incorrect Options:

A (AWS WAF): For application-layer filtering only.

B (Shield Standard): Basic protection, no DRT or attack visibility.

C (Macie): Used for discovering sensitive data in S3, unrelated to DDoS.

The best practice for secure access control in AWS is to use IAM roles with least-privilege policies, granting only the permissions necessary to perform required tasks. Assigning roles individually ensures that developers cannot overstep their intended access boundaries.

Sharing credentials or using permanent access keys increases the risk of security breaches. Cognito is primarily intended for managing user access to applications, not AWS infrastructure. Thus, Option B best meets security and access control requirements.

Amazon API Gatewayprovides a scalable and reusable solution for interacting with DynamoDB without requiring direct access by developers. By setting up a REST API with a POST methodthat integrates with DynamoDB'sPutItemaction, developers can submit data (such as user ratings) to the DynamoDB table through API Gateway, without having to directly interact with the database. This solution is serverless and minimizes operational overhead.

Option A: Using ALB with Lambda adds complexity and is less efficient for this use case.

Option B: While using Lambda is possible, API Gateway provides a more scalable, reusable interface.

Option C: SQS with Lambda introduces unnecessary components for a simple put operation.

AWS References:

Amazon API Gateway with DynamoDB

Correct Approach:

AWS Security Groups:

Security groups operate at the instance level, making them the ideal tool for controlling access to specific resources such as an Amazon RDS database.

By default, security groups deny all incoming traffic. You can allow access by explicitly specifying another security group.

Associating an RDS database security group with the EC2 instances' security group ensures only the specified EC2 instances can access the RDS database.

Incorrect Options Analysis:

Option A: Using CIDR blocks for IP-based access is less secure and more difficult to manage. Additionally, Auto Scaling groups dynamically allocate IP addresses, making this approach impractical.

Option B: Network ACLs (NACLs) operate at the subnet level and are stateless. While NACLs can deny or allow traffic, they are not suited to application-specific access control.

Option D: Similar to Option B, using a NACL with CIDR ranges for EC2 IPs is difficult to manage and not application-specific.

Caching frequently accessed, identical datasets is a well-established way to improve backend application performance by reducing load on the database. Amazon ElastiCache with Redis (open source) offers a fast, in-memory data store to cache query results, reducing latency and database requests.

Option B directly addresses the problem by offloading repeated read requests from the database to the cache.

Option A (SNS) is a messaging service and is unrelated to caching or improving database performance. Option C (DAX) accelerates DynamoDB but the backend uses RDS MySQL, so DAX is inapplicable. Option D (Data Firehose) is a data streaming service and does not optimize database read performance.

With AWS Shield Advanced, you can add multiple protected resources (like ALBs) to a protection group and choose an aggregation type for mitigation and billing.

Sum aggregation provides combined protection for all resources in the group during blue/green deployment.

“You can add multiple resources to a Shield Advanced protection group and choose an aggregation type. Sum aggregation provides combined protection across all resources.”

— Shield Advanced Protection Groups

This ensures the new ALB inherits protection and avoids additional configuration during deployment.

To authenticate users using an on-premises Active Directory Federation Service (AD FS), AWS provides the AWS Directory Service AD Connector. AD Connector is a proxy that connects AWS applications to your on-premises Microsoft Active Directory without requiring complex directory synchronization or the need to set up a separate directory in the cloud.

By integrating AD Connector with the Application Load Balancer (ALB), you can authenticate and authorize users using your existing on-premises credentials. This setup allows the ALB to leverage the authentication capabilities of your on-premises AD FS, providing a seamless and secure user experience.

Key Requirements:

Handle traffic spikes efficiently and reduce latency caused by cold starts.

Optimize costs during low traffic periods.

Analysis of Options:

Option A:

Provisioned Concurrency:Reduces cold start latency by pre-warming Lambda environments for the required number of concurrent executions.

AWS Application Auto Scaling:Automatically adjusts provisioned concurrency based on demand, ensuring cost optimization by scaling down during low traffic.

Correct Approach:Provides a balance between performance during traffic spikes and cost optimization during idle periods.

Option B:

Using EC2 instances with Auto Scaling introduces unnecessary complexity for a serverless architecture. It requires additional management and does not address the issue of cold starts for Lambda.

Incorrect Approach:Contradicts the serverless design philosophy and increases operational overhead.

Option C:

Setting a fixed concurrency level ensures performance during spikes but does not optimize costs during low traffic. This approach would maintain provisioned instances unnecessarily.

Incorrect Approach:Lacks cost optimization.

Option D:

Using EventBridge Scheduler for periodic invocations may reduce cold starts but does not dynamically scale based on traffic demand. It also leads to unnecessary invocations during idle times.

Incorrect Approach:Suboptimal for high traffic fluctuations and cost control.

AWS Solution Architect References:

AWS Lambda Provisioned Concurrency

AWS Application Auto Scaling with Lambda

This solution meets the company's requirements with minimal administrative overhead and ensures security and ease of management.

AWS AppConfig: AWS AppConfig is a service designed to manage application configuration in a secure and validated way. It allows you to deploy configurations safely and quickly without affecting the application's performance or availability.

AWS Secrets Manager: AWS Secrets Manager is specifically designed to manage, retrieve, and rotate credentials for databases and other services. It integrates seamlessly with AWS services like Amazon RDS, making it an ideal solution for securely storing and retrieving database credentials. Secrets Manager also provides automatic rotation of credentials, reducing the operational burden.

Why Not Other Options?:

Option B (AWS Lambda + Parameter Store): While AWS Lambda can be used for managing configurations and AWS Systems Manager Parameter Store can store credentials, this approach involves more manual setup and does not offer the same level of integrated management and security as AppConfig and Secrets Manager.

Option C (Encrypted S3 Configuration File): Storing configuration and credentials in S3 files involves more manual management and security considerations, increasing the administrative overhead.

Option D (AppConfig + RDS for credentials): RDS is not designed for storing application credentials; it's better suited for managing database instances and their configurations.

AWS References:

AWS AppConfig- Describes how to use AWS AppConfig for managing application configurations.

AWS Secrets Manager- Provides details on securely storing and retrieving credentials using AWS Secrets Manager.

Comprehensive and Detailed Step-by-Step Explanation:

The goal is totransfer 500 GB dailyfrom multiple global locationsquicklyintoa single S3 bucketwhile keeping operational complexity low.

Option A:✅

Turn on S3 Transfer Acceleration on the destination S3 bucket. Use multipart uploads to directly upload site data to the destination S3 bucket.

S3 Transfer Acceleration (S3-TA)allowsfasterglobal uploads by routing traffic throughAmazon CloudFront’s globally distributed edge locations.

Multipart uploadsimprove efficiency bybreaking large filesinto smaller parts, transferring them in parallel.

Low operational complexity: No need for additional resources or manual replication.

Why is this best?It ensureshigh-speed transferswhileminimizing complexity.

Key Requirements:

Protect public endpoints (CloudFront distributions and ALBs) frommalicious attacks.

Centralizedmanagementacross multiple accounts in an organization.

Ability tomonitor security configurationseffectively.

Minimizeoperational overhead.

Analysis of Options

Option A:

AWS WAF:Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

AWS Firewall Manager:Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

AWS Config:Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.

Operational Overhead:Centralized management and automated monitoring reduce the operational burden.

Correct Approach:Meets all requirements with the least overhead.

Option B:

This approach involves applying WAF rules in each account manually.

While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

Incorrect Approach:Higher overhead compared to centralized management with AWS Firewall Manager.

Option C:

Similar to Option A but includesAmazon Inspector, which is not designed for monitoring WAF configurations.

AWS Security Hubis appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

Incorrect Approach:Adds unnecessary complexity and does not focus on monitoring WAF specifically.

Option D:

AWS Shield Advanced:Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

AWS Config:Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

Incorrect Approach:Does not address the need for WAF or centralized rule management.

Why Option A is Correct

Protection:

AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

Centralized Management:

AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

Monitoring:

AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

Operational Overhead:

Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

AWS Solution Architect References

AWS WAF Documentation

AWS Firewall Manager Documentation

AWS Config Best Practices

AWS Organizations Documentation

End-to-end encryption means TLS is used not only from the client to the ALB, but also from the ALB to the EC2 targets. The least operational effort is achieved by using AWS Certificate Manager (ACM) Amazon-issued certificates where possible, because ACM automates key management, certificate provisioning, and renewal for supported use cases. Associating an ACM certificate with the ALB is a standard managed approach for TLS termination at the load balancer, and using managed certificates reduces the overhead of tracking expiration, renewing, and distributing certificates.

For encryption on the backend connection (ALB to instances), the instances must present a certificate and complete TLS. Using Amazon-issued ACM certificates (via supported mechanisms) reduces manual certificate lifecycle work compared with importing and managing third-party certificates. By avoiding third-party cert procurement and manual renewals, the solution minimizes ongoing operations and reduces the risk of outages due to expired certificates. This aligns with the requirement for the least operational effort while meeting the security requirement.

Option A is far more operationally heavy: CloudHSM is intended for scenarios requiring customer-managed HSMs and adds complexity in deployment, scaling, integration, and operations. Option B introduces self-signed certificates on instances, which increases operational friction (distribution, trust, rotation) and is not as clean for managed operations. Option C works but requires managing third-party certificate lifecycle (renewals, re-import, redeploy to instances), which is more overhead than Amazon-issued managed certificates.

Therefore, D best meets end-to-end encryption needs with the lowest ongoing operational burden by using AWS-managed certificate issuance and lifecycle management capabilities.

The requirement to “have access to the operating system” means the compute layer must be Amazon EC2 (or containers on EC2). Managed runtimes such as Lambda and Fargate do not provide OS-level access.

The requirement for a “low-latency NoSQL database” maps directly to Amazon DynamoDB, which is a fully managed NoSQL key-value and document database that provides single-digit millisecond latency at any scale.

Because the application runs in a private subnet, AWS best practice is to access DynamoDB privately via a VPC endpoint (gateway endpoint for DynamoDB). This avoids traversing the public internet and simplifies security.

An instance profile (EC2 role) is the recommended method to grant EC2 instances permission to access DynamoDB without hardcoding credentials.

Why the other options are not correct:

B: Lambda does not provide OS access, which violates the security requirement.

C: Fargate does not provide OS access, and Aurora PostgreSQL is a relational database, not NoSQL.

D: S3 + Athena is an analytics pattern, not a low-latency NoSQL database solution; query latency is much higher and not suitable for OLTP-style app storage.

A spread placement group is designed to deploy each instance on distinct underlying hardware, reducing the risk of simultaneous failures. By spreading instances across multiple Availability Zones, you achieve high availability and fault tolerance, meeting the 99.99% uptime requirement. Spread placement groups are ideal for critical applications that require maximum resilience to single hardware failures. Neither cluster nor partition strategies offer the same guarantee of separation combined with cross-AZ distribution.

Reference Extract from AWS Documentation / Study Guide:

"Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other. Instances in a spread placement group are placed on distinct underlying hardware, and when deployed across multiple Availability Zones, provide high availability."

Source: AWS Certified Solutions Architect – Official Study Guide, Compute and High Availability section; Amazon EC2 Placement Groups Documentation.

Usingcross-account IAM rolesis the most secure and scalable way to share data between AWS accounts.

Atrust relationshipallows the analytics team's account to assume the role in the main account and access the DynamoDB table directly.

Ais feasible but involves data duplication and additional costs for storing the JSON files in S3.

B and Cviolate security best practices by allowing public access to sensitive data and sharing credentials, which is highly discouraged.

AWS Documentation Reference:

Cross-Account Access with Roles

Best Practices for Amazon DynamoDB Security

This solution is the most scalable and efficient way to handle large volumes of survey data while automating sentiment analysis:

API Gateway and SQS: The survey results are sent to API Gateway, which forwards the data to an SQS queue. SQS can handle large volumes of messages and ensures that messages are not lost.

AWS Lambda: Lambda is triggered by polling the SQS queue, where it processes the survey data.

Amazon Comprehend: Comprehend is used for sentiment analysis, providing insights into customer satisfaction.

DynamoDB with TTL: Results are stored in DynamoDB with aTime to Live (TTL)attribute set to expire after 365 days, automatically removing old data and reducing storage costs.

Option B (EC2 API): Running an API on EC2 requires more maintenance and scalability management compared to API Gateway.

Option C (S3 and Rekognition): Amazon Rekognition is for image and video analysis, not sentiment analysis.

Option D (Amazon Lex): Amazon Lex is used for building conversational interfaces, not sentiment analysis.

AWS References:

Amazon Comprehend for Sentiment Analysis

Amazon SQS

DynamoDB TTL

The best practice for granting AWS resource access to EC2 instances is to use IAM roles, not users or long-lived access keys. You create an IAM role with a policy that grants the minimum permissions required, then attach that role to an instance profile associated with the EC2 instance. The instance then automatically receives temporary credentials for AWS service access.

AWS Documentation Extract:

"Attach an IAM role to your EC2 instances to securely grant permissions to AWS services according to the principle of least privilege. Never embed access keys in EC2 instances."

(Source: AWS EC2 documentation, IAM Roles for EC2)

A, B: Using IAM users and embedding keys violates security best practices.

C: IAM role credentials are automatically managed and never need to be manually attached as keys.

Amazon CloudFront is a global content delivery network (CDN) that caches and distributes content to users with low latency. By setting the existing ALB as the origin, CloudFront can cache dynamic and static content closer to users worldwide, improving performance and reducing the load on the application servers. This is the most cost-optimized and AWS-recommended way to globally serve dynamic content for web applications.

Reference Extract:

"CloudFront accelerates delivery of both static and dynamic content, reducing latency and offloading origin resources by caching content at edge locations."

Source: AWS Certified Solutions Architect – Official Study Guide, CloudFront and Global Application section.

This solution addresses the scalability needs of the workload while preventing failed processing attempts due to resource constraints.

Amazon S3 event notificationscan be used to trigger a message to an SQS queue whenever a new video is uploaded.

The existing Auto Scaling group of EC2 instances can poll the SQS queue, ensuring that the EC2 instances only process videos when there is a job in the queue.

SQS decouplesthe video upload and processing steps, allowing the system to handle sudden spikes in video uploads without overloading EC2 instances.

The use ofAuto Scalingensures that the EC2 instances can scale in or out based on the demand, maintaining cost efficiency while avoiding processing failures due to insufficient resources.

AWS References:

S3 Event Notificationsdetails how to configure notifications for S3 events.

Amazon SQSis a fully managed message queuing service that decouples components of the system.

Auto Scaling EC2explains how to manage automatic scaling of EC2 instances based on demand.

Why the other options are incorrect:

A. AWS Lambda functions: While Lambda can handle some workloads, video processing is often resource-intensive and long-running, making EC2 a more suitable solution.

B. Using SNS with Lambda: Similar to A, Lambda is not ideal for large-scale video processing due to its time and memory limitations.

D. AWS Step Functions: While a valid orchestration solution, this introduces more complexity and overhead compared to the simpler SQS-based solution.

Amazon S3 with Amazon CloudFront:

Amazon S3 provides highly scalable and durable storage for petabytes of data.

Amazon CloudFront, as a content delivery network (CDN), caches frequently accessed data at edge locations to reduce latency. This combination is ideal for storing and accessing engineering drawings.

Incorrect Options Analysis:

Option B: Amazon S3 Glacier Deep Archive is for long-term archival storage, not frequent access.

Option C: Amazon EBS is unsuitable for large-scale, multi-user data access and does not support caching directly.

Option D: AWS Storage Gateway is for hybrid cloud storage, which is unnecessary for a fully cloud-based architecture.

Comprehensive and Detailed Step-by-Step Explanation:

To accurately charge customers based on their monthly data download usage, the following solution is recommended:

Structured Logging Configuration:

Action:Ensure that the AWS Transfer for SFTP server is configured to log user activity, including details about file downloads, to Amazon S3 in a structured format.

Implementation:Utilize AWS Transfer Family's structured logging feature to capture detailed information about user sessions, including actions performed and data transferred.

docs.aws.amazon.com

Justification:Structured logs provide comprehensive data necessary for analyzing customer-specific download activities.

Data Analysis with Amazon Athena:

Action:Use Amazon Athena to run SQL queries on the structured log data stored in the S3 bucket to calculate the amount of data each customer has downloaded.

Implementation:

a.Define a Schema:Create a table in Athena that maps to the structure of your log files. This involves specifying the format of the logs and the location in S3.

b.Query Data:Write SQL queries to sum the total bytes downloaded by each customer over the billing period. This can be achieved by filtering logs based on user identifiers and summing the data transfer amounts.

Justification:Athena allows for efficient querying

Amazon CloudFront is a content delivery network (CDN) service that distributes content with low latency and high transfer speeds. Placing CloudFront in front of the S3 bucket ensures globalusers download content from the nearest edge location, reducing latency significantly.

Amazon SQS supports Interface VPC endpoints (AWS PrivateLink), enabling private connectivity from your VPC to SQS without using public IPs, traversing the public Internet, or requiring NAT/IGW. You can restrict access by attaching a queue resource policy that allows only the specific VPC endpoint and denies all other principals/paths, enforcing that all traffic stays on the AWS network. SSE-SQS (B) encrypts data at rest but does not influence network pathing. STS temporary credentials (C) handle authentication/authorization, not routing. VPC Flow Logs (D) are monitoring/visibility and do not prevent public egress. Creating an SQS VPC endpoint and tightening the queue policy satisfies the requirement of no public IP usage while maintaining secure, private access from serverless components in VPC subnets.

Amazon S3 Intelligent-Tiering is designed for unknown or unpredictable access patterns, automatically moving objects to the most cost-effective tier without performance impact.

It is ideal when you do not know object size or access frequency.

S3 Standard (Option B) works but costs more.

S3 One Zone-IA and Glacier Deep Archive (Options D and A) are not appropriate because data is frequently accessed for processing and persists only 24 hours.

=====================================================

For Amazon RDS relational databases experiencing read-heavy workloads, AWS best practice is to create read replicas and offload read traffic to those replicas. A read replica:

Uses asynchronous replication from the primary.

Can serve read-only queries, thereby reducing load and query latency on the primary.

Can be used behind an application-level read/write splitting mechanism or via endpoints that direct read traffic to replicas.

Performance Insights (Option A) helps diagnose performance problems but does not itself offload traffic.

DAX (Option B) is a cache for DynamoDB, not RDS.

Kinesis Data Firehose (Option D) is a streaming ingestion service and cannot increase RDS query concurrency.

Amazon S3 Intelligent-Tiering is the most cost-effective solution for this scenario, providing both high availability and durability while adjusting automatically to changing access patterns. It moves data across two access tiers: one optimized for frequent access and another for infrequent access, based on usage patterns. This tiering ensures that the company avoids paying for unused storage while also keeping frequently accessed data in a more accessible tier.

Key AWS references and benefits ofS3 Intelligent-Tiering:

High Durability and Availability: Amazon S3 offers 99.999999999% durability and 99.9% availability for objects stored, ensuring data is always protected.

Automatic Tiering: Data is automatically moved between tiers based on access patterns, making it ideal for workloads with unpredictable or variable access patterns.

No Retrieval Fees: Unlike S3 One Zone-IA or Glacier, there are no retrieval fees, making this more cost-effective in scenarios where access patterns vary over time.

AWS Documentation: According to the AWS Well-Architected Framework under theCost Optimization Pillar, S3 Intelligent-Tiering is recommended for storage when access patterns change over time, as it minimizes costs while maintaining availability​.

Amazon EFS offers an Infrequent Access (IA) storage class, which can be managed via EFS lifecycle policies. Frequently accessed files remain in the Standard storage class, while infrequently accessed files are automatically moved to the IA class, significantly reducing storage costs with minimal effort and no application changes.

Reference Extract:

"EFS lifecycle management automatically transitions files that are not accessed for a set period to the EFS Infrequent Access (IA) storage class, reducing storage costs."

Source: AWS Certified Solutions Architect – Official Study Guide, EFS and Lifecycle Management section.

Amazon SQS is the AWS-recommended service for handling decoupled, scalable, ordered, durable message ingestion with potentially large workloads. It supports payloads up to 256 KB directly and up to several MB using S3-backed large-payload extensions.

Lambda functions can process messages from SQS with automatic scaling. ECS with the Fargate launch type provides a serverless container platform for the frontend, scaling based on demand without managing servers.

SNS (Options B and D) is not a queue, does not provide durable message buffering, and is not appropriate for variable, bursty workloads that may exceed backend throughput. Lambda@Edge (Options A and D) is unsuitable for backend order processing because it runs at CloudFront edge locations with strict limitations.

TheAWS WAF Bot Control managed ruleis designed to automatically detect and mitigate bot traffic. This feature is particularly useful for addressing malicious traffic and conserving compute resources by filtering unnecessary requests at the ALB level.

Option A:Blocking IP addresses manually introduces significant operational overhead and is not scalable against dynamic, worldwide malicious traffic.

Option C:AWS Shield provides DDoS protection, but the scenario does not describe a DDoS attack. WAF is better suited for managing application-layer threats like bot traffic.

Option D:The AWS WAF IP reputation rule helps block traffic from known bad IPs but may not address bot traffic effectively.

AWS Documentation References:

AWS WAF Bot Control

AWS WAF Managed Rules

To send data privately from on-premises to S3 buckets across multiple AWS accounts:

A: Using AWS Direct Connect with a private virtual interface (VIF) enables private connectivity from on-premises into the VPC.

E: After establishing the central VPC in a networking account, use VPC peering to allow access to S3 buckets across multiple AWS accounts.

“Direct Connect private virtual interface (VIF) allows private IP connectivity to VPC resources.”

“VPC Peering enables routing of traffic between VPCs using private IP addresses.”

— AWS Direct Connect Documentation

— VPC Peering Guide

Why not others:

B: Public VIF sends traffic over public AWS services—not fully private.

C: Interface endpoint is useful within a single account/VPC context.

D: Gateway endpoint doesn't solve inter-account routing.

For latency-sensitive, global, non-cacheable workloads such as online gaming, AWS recommends AWS Global Accelerator. Global Accelerator:

Provides static anycast IP addresses at AWS edge locations worldwide.

Routes traffic over the AWS global network to the application’s ALB endpoint in the optimal Region, reducing latency and jitter versus internet-based routing.

Supports TCP and UDP and is ideal for real-time gaming traffic.

CloudFront (Option A) is optimized for caching HTTP/HTTPS content and does not significantly improve latency for highly dynamic, interactive gaming traffic.

API Gateway (Option B) is not needed in front of an ALB for this gaming pattern and introduces extra hops and cost.

Geolocation routing (Option D) with multiple Regions adds complexity (including data replication for DynamoDB) and still relies on DNS.

AWS Storage Gateway file gateway presents a file interface backed by Amazon S3 and supports NFS. This allows local applications to access data via NFS while also enabling cloud applications to use the data stored in S3 for analytics and processing, fulfilling both hybrid and cloud-native requirements.

Reference Extract:

"AWS Storage Gateway file gateway offers NFS and SMB access to data stored in Amazon S3, supporting hybrid workloads for local and cloud access."

Source: AWS Certified Solutions Architect – Official Study Guide, Hybrid and Storage Gateway section.

AWS Fargate provides per-pod isolation for CPU, memory, storage, and networking, making it ideal for multi-tenant use cases.

AWS Documentation References:

EKS with Fargate

This solution offers the least operational overhead while meeting the security and global availability requirements:

Amazon CloudFront and S3: Hosting the static frontend on S3 and serving it via CloudFront provides low-latency global distribution, high availability, and security. S3 is a cost-effective and serverless option for hosting static assets, and CloudFront ensures that the application is cached closer to the users, reducing latency globally.

AWS Lambda and API Gateway: Refactoring the microservices to use Lambda functions with API Gateway allows for a fully serverless, scalable, and highly available backend. This reduces the need for managing EC2 instances, as Lambda automatically scales to meet demand and only charges for the actual usage.

RDS for MySQL: Migrating the MySQL database from an EC2 instance to Amazon RDS significantly reduces operational overhead. RDS manages backups, patching, and scaling, and it offers high availability options (e.g., Multi-AZ).

Option AandDinvolve using EC2 Reserved Instances for the database, which requires more operational maintenance than using RDS.

Option Csuggests using a Network Load Balancer with Lambda, which adds unnecessary complexity for this use case.

AWS References:

Amazon S3 and CloudFront Integration

AWS Lambda with API Gateway

Amazon RDS for MySQL

Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables high throughput, low-latency networking, and OS-bypass capabilities. EFAs are designed for applications that require fast inter-node communications, such as HPC, ML, and real-time analytics. EFA provides significantly lower latency than traditional networking, which is ideal for real-time streaming and processing workloads.

Reference Extract from AWS Documentation / Study Guide:

"Elastic Fabric Adapter (EFA) provides low-latency, high-throughput network communications required by high-performance computing applications, enabling fast, scalable, and tightly-coupled workloads on AWS."

Source: AWS Certified Solutions Architect – Official Study Guide, EC2 Networking section.

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

"Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access."

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

AWS Lake Formation provides centralized data access control, including fine-grained (column-level) permissions for data stored in S3 and accessed through services like Amazon Athena.

Using a Lake Formation blueprint to ingest data from Aurora MySQL into the data lake keeps ingestion and governance integrated. When QuickSight uses Athena as the data source, Athena enforces Lake Formation’s column-level permissions automatically. This allows the marketing team to see only the authorized subset of columns without custom access-control logic.

Options A, B, and C rely on manually limiting columns at ingestion time or using IAM or S3 bucket policies, which do not provide true column-level authorization for SQL queries and require significantly more manual work and maintenance.

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.

Option Aintroduces complexity and does not scale well.

Option Bcreates a read replica, offloading read traffic from the primary RDS instance without impacting the critical application.

Option Cis manual and inefficient.

Option Dmight help for caching frequently queried data but is not ideal for ad-hoc reporting.Therefore, Option B is the best choice.

AmazonSES (Simple Email Service)allows for the automatic ingestion of incoming emails. By setting up email receiving in SES and creating a rule set with a receipt rule, you can configure SES to invoke anAWS Lambda functionwhenever an email is received. The Lambda function can then process the email body and attachments, saving any attachments to an Amazon S3 bucket. This solution is highly scalable, cost-effective, and provides near real-time processing of emails with minimal operational overhead.

Option B (Content filtering): This only filters emails based on content and does not provide the functionality to save attachments to S3.

Option C (S3 Event Notifications): While SES can store emails in S3, SES with Lambda offers more flexibility for processing attachments in real-time.

Option D (EventBridge rule): EventBridge cannot directly listen for incoming emails, making this solution incorrect.

AWS References:

Receiving Email with Amazon SES

Invoking Lambda from SES

Option B: FSx for Lustre is designed for HPC workloads with high IOPS.

Option E: A cluster placement group ensures low-latency networking for HPC analytics workloads.

Option A: Amazon EFS is not optimized for HPC.

Option D: Mountpoint for S3 does not meet high IOPS needs.

The requirements specify capturing unpredictable and sudden spikes in customer activity, integrating easily with other web applications, and including authorization.

Amazon API Gateway with Lambda authorizer provides a secure, scalable entry point with flexible authorization mechanisms including token validation.

Amazon Kinesis Data Firehose is a fully managed service to reliably load streaming data into destinations such as Amazon S3, which fits well for capturing streaming customer activity data.

API Gateway integrates natively with Firehose for direct ingestion.

This combination supports unpredictable traffic, smooth scaling, and simple authorization.

Option B uses Kinesis Data Streams, which requires more management than Firehose and is less optimized for direct API integration. Options A and D use Gateway Load Balancer and ECS containers plus EFS, which add complexity and are less suited for unpredictable traffic with integrated authorization.

AWSSecrets Managercan integrate directly with Amazon RDS for automatic and seamless password rotation. Secrets Manager handles the complexity of password management, including generating strong passwords and rotating them at a defined interval (e.g., every 30 days). It also automatically updates the connection information for RDS, minimizing operational overhead.

Option A (Lambda with EventBridge): While possible, this requires custom coding and operational management of Lambda, which introduces additional complexity.

Option B (Manual password change): Using the modify-db-instance command requires manual intervention and is not automated, leading to more operational effort.

Option D (Parameter Store): Systems Manager Parameter Store is less specialized for password management than Secrets Manager and does not have built-in automated rotation for RDS credentials.

AWS References:

AWS Secrets Manager Rotation for RDS

AWS S3 Multi-Region Access Points enable customers to use a single global endpoint for S3 bucket access across multiple AWS Regions, providing automatic routing to the nearest Region. This reduces public network congestion by directing user data to the closest S3 bucket and supports high availability with active-active configuration.

Cross-Region Replication ensures data is replicated between buckets in different Regions, meeting the failover and resilience requirements with minimal management overhead.

Option D aligns best with AWS’s recommended approach to resilient, low-latency, and simplified multi-Region S3 access.

Option A lacks the global endpoint and automatic failover. Option B incorrectly describes Multi-Region Access Points configuration and suggests global endpoints per Region, which is contradictory. Option C’s cross-account replication adds complexity and does not provide a single global endpoint.